Re: Getting application root path before servlet is initialized?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/24/17 12:37 PM, Martin Knoblauch wrote: > On Fri, Feb 24, 2017 at 6:00 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Martin, >> >> On 2/21/17 8:31 AM, Martin Knoblauch wrote: >>> Hi, >>> >>> is there a way to find the absolute path of the application >>> root before the servlet is initialized? >>> >>> Alternatively: is there a way to defer the initialization of a >>> datasource until the servlet is initialized? >>> >>> Background: I have extended >>> "org.apache.tomcat.jdbc.pool.DataSourceFactory" to >>> automatically set credentials so that they are not stored in >>> the "Catalina/localhost/XXX.xml" file. Instead they are taken >>> from encrypted values in a file below the application root. >>> Works fine if I know that path at "createDataSource" time. >> >> Where are you configuring your ? In conf/server.xml or >> in your application's META-INF/context.xml file? >> > > conf/Catalina/localhost/XXX.xml Good. If your custom DataSource can accept custom properties, then you can add one with a dynamic path, like this: In your code, you read that path and use it. >>> In order to avoid hard coding that path, I need a programmatic >>> to find that value. Unfortunately the datasource is initialized >>> before the servlet, so "getRealPath()" is not working yet. >> >> getRealPath is a bad idea. Also, your DataSources will be >> fully-configured before any servlets are initialized, so it's too >> late. > > Correct :-( That is the problem I need(ed) to solve. Given enough > assumptions about the deployment rules for this app, I was able to > find a reliable way to deduce the AppRoot. But the fact that the DS > is initialized before the/any servlet is still ugly. You can use system property replacement in your Tomcat deployment descriptor (META-INF/context.xml, or in your case conf/Catalina/localhost/XXX.xml) to locate the file relative to CATALINA_BASE like this: - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYsK//AAoJEBzwKT+lPKRYU0QP/30vNxE+FBStms0J8TA0aC6w ZPyA53htgBnMFbKEPt6zmSx3pYtdRE866I3IXiq7c8j9Fcy3c6img9ohVW9cwx+q Id8Gc1MqHNk1dMxSUpQN+YBVTg+N6hEQshocxcIAKJ7vzind1dUdJgnGLowZBb2G OCLbr8BqdhBz97Cw+B2tv+P310ez0RS1ZInbi0cTr7RHkFsUYPFL8Z86668ZYJGA HO5cOEv1+a2W6kIiVEcyDzAo65y6dlp8/Nn/7J00mufT241F/haON7KHWyGXSYKU C19zYFWjhbZWENrTO2gOSPumib12RgUs45mVbOzYKnMDAZxzMQETgtX31hJE9Pxt J++OLvF+OwdFwveBNNNpJOpAcmzmX40RSKp+wez+nLftvI6aKXTXKer8zIiYur9Y nu4cyj4Hjb1tFOFsl2+2jdhFjHb3dFJ/76qylMNgfpsjw1VYHiUlU6QM6G7I2xZd AROO6Nk4uPElPzl4u83pJ0knD7CKIV8oTE7H5/7pXgFU1SmUq+S/QLhN9Nvq2XKi Sykr/lxJWkDIpT1w3mRUhcnREODt4Uzp/0dpuD1i+oSrz8hIcAvZMqgAh8F1nSOQ d8N0TnrJ2w0j63R0mDfoNiRg+2Olxwy0J+xQgNimSC8rOPahu8msatUkXg/JtFDX z4DR8aawD45uJ+tO18Tr =bMSR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/24/17 12:32 PM, Martin Knoblauch wrote: > On Fri, Feb 24, 2017 at 6:06 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Martin, >> >> On 2/22/17 5:19 AM, Martin Knoblauch wrote: >>> On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas >>> wrote: >>> On 21/02/2017 13:31, Martin Knoblauch wrote: > Hi, > > is there a way to find the absolute path of the > application root before the servlet is initialized? > > Alternatively: is there a way to defer the initialization > of a datasource until the servlet is initialized? > > Background: I have extended "org.apache.tomcat.jdbc.pool. DataSourceFactory" > to automatically set credentials so that they are not > stored in the "Catalina/localhost/XXX.xml" file. Instead > they are taken from encrypted values in a file below the > application root. Works fine if I know that path > at "createDataSource" time. And the decryption key for that file is stored where? https://wiki.apache.org/tomcat/FAQ/Password >>> Thanks for link. It clearly reflects my opinion as well >> >> Good. At least you know this is all a farce. >> > > Not sure I'd call it a farce, but yes this is all hide and seek > > >> >>> , but the customer demand is: >>> >>> - no plain-text credentials (Big multinational company >>> security policies - fight them if you need the fun). And yes, >>> this is all about making auditors happy >> >> Obviously, you are still failing this requirement. The only >> requirement you are satisfying is "no plain-text credentials in >> a standard configuration file". What you are doing is moving the >> plain-text credentials into a non-standard configuration file. >> >> > No, there are no plain-text credentials stored anywhere. They are > stored crypted with an api to decrypt them. ... and the keys passed-into the API. > But of course > > - how good is the decryption key protected It must be plain-text somewhere. You can obscure it all you want, but you are just buying yourself a small amount of time. > - what about the in-memory copy of the credentials once the > datasource has been initialized They are always available, since the connection-pool manager may have to open a new connection at any moment. > - what about snooping them on the network when the DB connection is > built. OK. We are using SSL there. TLS should do your job, here. Of course, nobody needs your credentials if they can sniff the network traffic. So TLS is important to ensure. I would even require it as a condition of all non-local connections. > This makes most auditors and penetration testers sufficiently > happy. > > >>> - minimize the locations where credentials are stored. This is >>> only lightly related to the decrypt issue. Having to store >>> identical stuff in more than one place is opening up all other >>> sorts of practical issues >> >> This is a reasonable requirement, as it helps reduce the attack >> surface. But when the attack surface is "a file on the disk", >> getting owned means you are owned, regardless of the location of >> the file(s). >> >> As for the location of the secrets file, would it be possible to >> store it *outside* of the web application's on-disk footprint? >> That will in fact make you more secure. Let's say for example >> that a vulnerability exists in the DefaultServlet, or one of your >> application's own servlets. It allows path-traversal or whatever. >> A file living in your application will then be potentially >> remotely-fetchable :( If you move that file outside of the web >> application, you have a better change of preventing that kind of >> thing. > > There is no secrets file. As I said before - the app has obfuscated > the key deep in the source... So the secrets file is called MySecrets.class :) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYsK2qAAoJEBzwKT+lPKRYQbEP/RamJmHnm+G3Pz4hCprsGrqA n6xCcdCyU2jMqHpIdnhVHNLoMAYmeRDHpetn4GTWLff3TNjcljRfEdmPggQOy4Ei bE7sq/1A79TS/Y+Xo2/QuYdMFHm0F0nAuyMsVdJ/XzoMuQtNlWjq3SlZQcYzkzGC aofnpd7FjtePrCyBeSQfyAZ+lep8Tjvsg0tzH03eUMsgM6RJ5E0jcloBbqm7hsVP oo6oS4cwts/Vq+PnNbmTiQaQA/wQWEvZRLQctflyeRYjvcLr5/ABJ1iBJc6tdTXA zY8qd8Zx2DMOdsSvVLSdjATm1YvT+ucQl5O1TJ6AXJKRa+f76eM17kr7fafOyG4U IeQgCwS9/q0UB4HH14bvsb9jhSXup3j5aNHMGgI6xyZtbaRoI8jrwQvGd/KNXDjQ jXtr7xBBWFTxE6r3bk5afJvHC+A3n0KlBySoQ4S0Wg6B37QFW+ThU4sTpOKrH/Bs NiM0r+qEDXA255O3LuvYJJUYPBGSL0AD7UaV14LWiFN9iPgWZyB633JW8Ngnm5ZO 9Ogp0udT4zjuZc2Q20MNuheR9LFKDcji0K92STGbhhHhsk/TBJBrijq2ApIAkeSH CDU5jIVfzjwd5vVXzlGc44s2vIbMxaok6grbEl5fWvthqlO3kYfgozHS1k43qvFb hPiAqnZv9E+e/fBqME4u =uY5I -END PGP SIGNATURE- - To unsubscribe, e-mail: users-
Re: Getting application root path before servlet is initialized?
On Fri, Feb 24, 2017 at 6:00 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 2/21/17 8:31 AM, Martin Knoblauch wrote: > > Hi, > > > > is there a way to find the absolute path of the application root > > before the servlet is initialized? > > > > Alternatively: is there a way to defer the initialization of a > > datasource until the servlet is initialized? > > > > Background: I have extended > > "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically > > set credentials so that they are not stored in the > > "Catalina/localhost/XXX.xml" file. Instead they are taken from > > encrypted values in a file below the application root. Works fine > > if I know that path at "createDataSource" time. > > Where are you configuring your ? In conf/server.xml or in > your application's META-INF/context.xml file? > conf/Catalina/localhost/XXX.xml > > > In order to avoid hard coding that path, I need a programmatic to > > find that value. Unfortunately the datasource is initialized before > > the servlet, so "getRealPath()" is not working yet. > > getRealPath is a bad idea. Also, your DataSources will be > fully-configured before any servlets are initialized, so it's too late. > > Correct :-( That is the problem I need(ed) to solve. Given enough assumptions about the deployment rules for this app, I was able to find a reliable way to deduce the AppRoot. But the fact that the DS is initialized before the/any servlet is still ugly. Thanks Martin
Re: Getting application root path before servlet is initialized?
On Fri, Feb 24, 2017 at 6:06 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 2/22/17 5:19 AM, Martin Knoblauch wrote: > > On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas > > wrote: > > > >> On 21/02/2017 13:31, Martin Knoblauch wrote: > >>> Hi, > >>> > >>> is there a way to find the absolute path of the application > >>> root before the servlet is initialized? > >>> > >>> Alternatively: is there a way to defer the initialization of a > >>> datasource until the servlet is initialized? > >>> > >>> Background: I have extended "org.apache.tomcat.jdbc.pool. > >> DataSourceFactory" > >>> to automatically set credentials so that they are not stored > >>> in the "Catalina/localhost/XXX.xml" file. Instead they are > >>> taken from encrypted values in a file below the application > >>> root. Works fine if I know that > >> path > >>> at "createDataSource" time. > >> > >> And the decryption key for that file is stored where? > >> > >> https://wiki.apache.org/tomcat/FAQ/Password > >> > >> > > Thanks for link. It clearly reflects my opinion as well > > Good. At least you know this is all a farce. > Not sure I'd call it a farce, but yes this is all hide and seek > > > , but the customer demand is: > > > > - no plain-text credentials (Big multinational company security > > policies - fight them if you need the fun). And yes, this is all > > about making auditors happy > > Obviously, you are still failing this requirement. The only > requirement you are satisfying is "no plain-text credentials in a > standard configuration file". What you are doing is moving the > plain-text credentials into a non-standard configuration file. > > No, there are no plain-text credentials stored anywhere. They are stored crypted with an api to decrypt them. But of course - how good is the decryption key protected - what about the in-memory copy of the credentials once the datasource has been initialized - what about snooping them on the network when the DB connection is built. OK. We are using SSL there. This makes most auditors and penetration testers sufficiently happy. > > - minimize the locations where credentials are stored. This is > > only lightly related to the decrypt issue. Having to store > > identical stuff in more than one place is opening up all other > > sorts of practical issues > > This is a reasonable requirement, as it helps reduce the attack > surface. But when the attack surface is "a file on the disk", getting > owned means you are owned, regardless of the location of the file(s). > > As for the location of the secrets file, would it be possible to store > it *outside* of the web application's on-disk footprint? That will in > fact make you more secure. Let's say for example that a vulnerability > exists in the DefaultServlet, or one of your application's own > servlets. It allows path-traversal or whatever. A file living in your > application will then be potentially remotely-fetchable :( If you move > that file outside of the web application, you have a better change of > preventing that kind of thing. > There is no secrets file. As I said before - the app has obfuscated the key deep in the source... Thanks Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: Getting application root path before servlet is initialized?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/22/17 5:19 AM, Martin Knoblauch wrote: > On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas > wrote: > >> On 21/02/2017 13:31, Martin Knoblauch wrote: >>> Hi, >>> >>> is there a way to find the absolute path of the application >>> root before the servlet is initialized? >>> >>> Alternatively: is there a way to defer the initialization of a >>> datasource until the servlet is initialized? >>> >>> Background: I have extended "org.apache.tomcat.jdbc.pool. >> DataSourceFactory" >>> to automatically set credentials so that they are not stored >>> in the "Catalina/localhost/XXX.xml" file. Instead they are >>> taken from encrypted values in a file below the application >>> root. Works fine if I know that >> path >>> at "createDataSource" time. >> >> And the decryption key for that file is stored where? >> >> https://wiki.apache.org/tomcat/FAQ/Password >> >> > Thanks for link. It clearly reflects my opinion as well Good. At least you know this is all a farce. > , but the customer demand is: > > - no plain-text credentials (Big multinational company security > policies - fight them if you need the fun). And yes, this is all > about making auditors happy Obviously, you are still failing this requirement. The only requirement you are satisfying is "no plain-text credentials in a standard configuration file". What you are doing is moving the plain-text credentials into a non-standard configuration file. > - minimize the locations where credentials are stored. This is > only lightly related to the decrypt issue. Having to store > identical stuff in more than one place is opening up all other > sorts of practical issues This is a reasonable requirement, as it helps reduce the attack surface. But when the attack surface is "a file on the disk", getting owned means you are owned, regardless of the location of the file(s). As for the location of the secrets file, would it be possible to store it *outside* of the web application's on-disk footprint? That will in fact make you more secure. Let's say for example that a vulnerability exists in the DefaultServlet, or one of your application's own servlets. It allows path-traversal or whatever. A file living in your application will then be potentially remotely-fetchable :( If you move that file outside of the web application, you have a better change of preventing that kind of thing. If the file is located outside of the application, you may be able to reference it directly -- e.g. /etc/secrets/my-application-secrets.conf - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYsGgKAAoJEBzwKT+lPKRYzeEQAKV4Gn9E2ymPQpY4sQQqmuNW hTUVT2Wc/yIO5Cy7leyrDCTKIwPgasavmuF1c4qjno+i7Q9utL58s7XkeUYUpJTf 6y/Ry+XcCFtS493YAhNl64oJnAt5++vKSO7/b97qe2NaHbOfAGOH8IsNlyjelPPw N0an2Z8sjkyTQ+x7Anic239coEUf0wAKJ/lczI4KhkugHiz3JCwUQl/YqKRsgJZ7 UQQbX4lO/8qib+8Bcqgn1OoAf64bYN8J2/7/yB4+fEmEUeRc5NTK3knePDX2VtTr r62iRlh0a8YHHgEvgPNPwn4CwGF3gBYuv2Wfo6+g8exQpRBMwAIkyW7+FyulALGr +cCBn1X+9jiY8YZBqJxdweb02kotYga1rTUHAorguGHzGryCrC7KiVy5CdXC9aYj wTRlEKauXH+G878M0iJw1oMJlEiAOO+5UIW/Jb9T8Z8nhcpgRwb50O4IpwKU84Gn dMDhkUc6WL2almtlD9gu3/Uzbju41NzZWhEdXcfSr/JafsoiEBl2c1wAP/tgmzSu GvQnT1OHBpbNcqCOsKfGAi8B/HGwVHuaUCjVuTX8qfVf3EcZ1Y8A4COGLITorawr AbPgnHrTM9a16o+50Jzzylv4FUieBJlfehMgfRKhlEWPsBkeT0bfnBZGeXtnHsu6 4MzpshE1LrK5LI+5fvEJ =xzqv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 2/21/17 8:31 AM, Martin Knoblauch wrote: > Hi, > > is there a way to find the absolute path of the application root > before the servlet is initialized? > > Alternatively: is there a way to defer the initialization of a > datasource until the servlet is initialized? > > Background: I have extended > "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically > set credentials so that they are not stored in the > "Catalina/localhost/XXX.xml" file. Instead they are taken from > encrypted values in a file below the application root. Works fine > if I know that path at "createDataSource" time. Where are you configuring your ? In conf/server.xml or in your application's META-INF/context.xml file? > In order to avoid hard coding that path, I need a programmatic to > find that value. Unfortunately the datasource is initialized before > the servlet, so "getRealPath()" is not working yet. getRealPath is a bad idea. Also, your DataSources will be fully-configured before any servlets are initialized, so it's too late. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYsGa4AAoJEBzwKT+lPKRYSFEP/148R7SLCoXyYMyx8e5heN+J 3YwyJriefzfD1Y1t/X2koKmluaz4waOZgFdiJDEoGwdYiX0r9oD/IGk026vrO9pF 5o/RRGB/WioedqniPRrdosn9zObYnAea2HNgn2uYndlHioJ1KSR9xomlcYuAiW9+ ZCaKxCH+jmnh9OXmpV025pfips8Iga4EKGE2mtQI6yGW9chgy1v+PX+3usMy6b2L jE0koGCBQcnaQQHxDsFI3sUBmnY8nkQ80bCq21gQy+TEvFs7mZte1i+Zi+pgwlTe mZ4RpMebQUZzqeH8fmEHUwSuaphrP2O+xq07rWl/oXQCjEQGrlZJml2C9C6nS3Ds 2uhfclEz+Yhb3aw/iRtEHXWKnTa58PZ4Qtqlq9gDH3SYvIj+ancPKy3Wkv+K+dc8 ora7qKl97OoAcsAkKT0dL+psUcpepskw7EoCiEwPHeQKqSKOW1X0PXNVpHgZD2J4 kjX38PzFmtTjWj+wPa8cdZmD576iT8iiD4nClwON0dF6ipOY6R321GKmXPT2UUup YSmSO39WqKuehy5uhIK4EXs0XGlZU4y5ASPS0frdAv3SvxX7BqxKT1UJLbrEQFm6 QTJuFlZeRuPxEnsKpBMaEQtTrbwB3M9FTP/znrjCh7Bxq0TuMSafe2/nCXEFg201 jpJkYWzch8pZ2CKzU6Yw =d2oI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Dear Martin, On 21/02/17 13:31, Martin Knoblauch wrote: Hi, is there a way to find the absolute path of the application root before the servlet is initialized? Alternatively: is there a way to defer the initialization of a datasource until the servlet is initialized? Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically set credentials so that they are not stored in the "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted values in a file below the application root. Works fine if I know that path at "createDataSource" time. In order to avoid hard coding that path, I need a programmatic to find that value. Unfortunately the datasource is initialized before the servlet, so "getRealPath()" is not working yet. Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I do not want to name :-) Thanks in advance Martin For this purpose I use the ant properties interpolation on tomcat configuration xml-files http://tomcat.apache.org/tomcat-7.0-doc/config/index.html It may be you requirements needs a more elaborated solution, but this a convenient way to do it. Regards Antonio - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
Am 22.02.2017 um 11:19 schrieb Martin Knoblauch: On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas wrote: On 21/02/2017 13:31, Martin Knoblauch wrote: Hi, is there a way to find the absolute path of the application root before the servlet is initialized? Alternatively: is there a way to defer the initialization of a datasource until the servlet is initialized? Background: I have extended "org.apache.tomcat.jdbc.pool. DataSourceFactory" to automatically set credentials so that they are not stored in the "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted values in a file below the application root. Works fine if I know that path at "createDataSource" time. And the decryption key for that file is stored where? https://wiki.apache.org/tomcat/FAQ/Password Thanks for link. It clearly reflects my opinion as well, but the customer demand is: - no plain-text credentials (Big multinational company security policies - fight them if you need the fun). And yes, this is all about making auditors happy - minimize the locations where credentials are stored. This is only lightly related to the decrypt issue. Having to store identical stuff in more than one place is opening up all other sorts of practical issues So, yes - any mechanism that can decrypt needs to store the key somewhere and this just shifts away the problem from securing one item to securing another one. In my case the application (that I will not reveal here) stores encrypted DB credentials in its configuration and provides an API to retrieve them decrypted. I guess, the key is somewhere in the source code (likely obfuscated to prevent casual hacking by debugging). the less I know ... :-) In order to avoid hard coding that path, I need a programmatic to find that value. Unfortunately the datasource is initialized before the servlet, so "getRealPath()" is not working yet. Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I do not want to name :-) Ignoring what I suspect is a fundamental flaw in this plan, you probably want a ServletContextListener and contextInitialized() Thanks again for the hint. Will have a look. In the meanwhile I found a way by looking at this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath(); Adding some assumptions about the classpath (which are required to be true in this whole context) this gives me the needed information :-) Thanks Martin Mark I could imagine that the use of a secure key-value store would be helpfull in this scenario. vault is a great solution for this. quick googling [1] brings a tomcat implementation for vault. If youre not allready familiar with vault, give it a try [2]. Daniel [1] https://github.com/januslabs/tomcat-vault [2] https://www.hashicorp.com/vault.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Getting application root path before servlet is initialized?
On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas wrote: > On 21/02/2017 13:31, Martin Knoblauch wrote: > > Hi, > > > > is there a way to find the absolute path of the application root before > > the servlet is initialized? > > > > Alternatively: is there a way to defer the initialization of a datasource > > until the servlet is initialized? > > > > Background: I have extended "org.apache.tomcat.jdbc.pool. > DataSourceFactory" > > to automatically set credentials so that they are not stored in the > > "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted > > values in a file below the application root. Works fine if I know that > path > > at "createDataSource" time. > > And the decryption key for that file is stored where? > > https://wiki.apache.org/tomcat/FAQ/Password > > Thanks for link. It clearly reflects my opinion as well, but the customer demand is: - no plain-text credentials (Big multinational company security policies - fight them if you need the fun). And yes, this is all about making auditors happy - minimize the locations where credentials are stored. This is only lightly related to the decrypt issue. Having to store identical stuff in more than one place is opening up all other sorts of practical issues So, yes - any mechanism that can decrypt needs to store the key somewhere and this just shifts away the problem from securing one item to securing another one. In my case the application (that I will not reveal here) stores encrypted DB credentials in its configuration and provides an API to retrieve them decrypted. I guess, the key is somewhere in the source code (likely obfuscated to prevent casual hacking by debugging). the less I know ... :-) > In order to avoid hard coding that path, I need a programmatic to find > that > > value. Unfortunately the datasource is initialized before the servlet, so > > "getRealPath()" is not working yet. > > > > Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I > > do not want to name :-) > > Ignoring what I suspect is a fundamental flaw in this plan, you probably > want a ServletContextListener and contextInitialized() > > Thanks again for the hint. Will have a look. In the meanwhile I found a way by looking at this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath(); Adding some assumptions about the classpath (which are required to be true in this whole context) this gives me the needed information :-) Thanks Martin > Mark > >
Re: Getting application root path before servlet is initialized?
On 21/02/2017 13:31, Martin Knoblauch wrote: > Hi, > > is there a way to find the absolute path of the application root before > the servlet is initialized? > > Alternatively: is there a way to defer the initialization of a datasource > until the servlet is initialized? > > Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory" > to automatically set credentials so that they are not stored in the > "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted > values in a file below the application root. Works fine if I know that path > at "createDataSource" time. And the decryption key for that file is stored where? https://wiki.apache.org/tomcat/FAQ/Password > In order to avoid hard coding that path, I need a programmatic to find that > value. Unfortunately the datasource is initialized before the servlet, so > "getRealPath()" is not working yet. > > Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I > do not want to name :-) Ignoring what I suspect is a fundamental flaw in this plan, you probably want a ServletContextListener and contextInitialized() Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Getting application root path before servlet is initialized?
Hi, is there a way to find the absolute path of the application root before the servlet is initialized? Alternatively: is there a way to defer the initialization of a datasource until the servlet is initialized? Background: I have extended "org.apache.tomcat.jdbc.pool.DataSourceFactory" to automatically set credentials so that they are not stored in the "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted values in a file below the application root. Works fine if I know that path at "createDataSource" time. In order to avoid hard coding that path, I need a programmatic to find that value. Unfortunately the datasource is initialized before the servlet, so "getRealPath()" is not working yet. Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I do not want to name :-) Thanks in advance Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de