-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 10/29/2010 10:04 AM, Mark Thomas wrote:
On 29/10/2010 14:53, Ronald Klop wrote:
If you have a webapp where users log in you can use there login/password
to login on the database. A little bit inconvenient for the DBA but you
don't have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Darryl,
On 10/29/2010 9:19 AM, Darryl Lewis wrote:
Are you serious?
Why do we bother with SSL then? Lets just send everything in clear text...
You might be misunderstanding the way that SSL works if you think these
two are comparable. A simple
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daryl,
On 10/30/2010 5:11 PM, Darryl Lewis wrote:
That's why we encrypt passwords in unix, or haven't you looked at
etc/passwd lately? Are you going to tell me that is complete
nonsense?
The credentialing mechanism is the keyboard and the user's
On 30/10/2010 22:11, Darryl Lewis wrote:
Yeah, well reasoned rebuttal therenot.
Oh, I don't know. It was succinct, to the point, and unlike your
statement, accurate.
You declared, on a public mailing list which is republished on web based
forums and is therefore Googlable, that Tomcat
On 30/10/2010 22:11, Darryl Lewis wrote:
That's why we encrypt passwords in unix, or haven't you looked at etc/passwd
lately? Are you going to tell me that is complete nonsense?
Yet again you demonstrate your lack of understanding in this area. Those
are hashes since the OS never needs access
On 31/10/2010 04:53, Mladen Turk wrote:
On 10/30/2010 07:28 PM, Mark Thomas wrote:
On 30/10/2010 12:59, Mladen Turk wrote:
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in
On 31/10/2010 12:29, Mark Thomas wrote:
On 31/10/2010 04:53, Mladen Turk wrote:
On 10/30/2010 07:28 PM, Mark Thomas wrote:
On 30/10/2010 12:59, Mladen Turk wrote:
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to
-Original Message-
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Sent: Saturday, October 30, 2010 3:12 PM
To: Tomcat Users List
Subject: Re: running tomcat6 under a different user than root (debian)
Yeah, well reasoned rebuttal therenot.
That's why we encrypt
http://www.devdoctor.com/blog/2009/07/how-to-encrypt-passwords-in-tomcat.php
On 31/10/10 11:44 PM, Mark Thomas ma...@apache.org wrote:
On 31/10/2010 12:29, Mark Thomas wrote:
On 31/10/2010 04:53, Mladen Turk wrote:
On 10/30/2010 07:28 PM, Mark Thomas wrote:
On 30/10/2010 12:59, Mladen Turk
On 31/10/2010 21:44, Darryl Lewis wrote:
http://www.devdoctor.com/blog/2009/07/how-to-encrypt-passwords-in-tomcat.php
That article is a little confused. Using digest in a Realm won't help
you obfuscate a password in a DataSource defined in server.xml (or
anywhere else).
p
0x62590808.asc
Am 29.10.2010 15:29, schrieb Mark Thomas:
On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
Completely. If you have a scheme that encrypts the database username and
password in server.xml and provides genuine additional security over and
above limiting access to server.xml to the user
On 30/10/2010 09:19, Christoph Kukulies wrote:
Am 29.10.2010 15:29, schrieb Mark Thomas:
On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
Completely. If you have a scheme that encrypts the database username and
password in server.xml and provides genuine additional security over and
Use encryption
http://java.sys-con.com/node/393364
On 30/10/10 8:41 PM, Pid p...@pidster.com wrote:
On 30/10/2010 09:19, Christoph Kukulies wrote:
Am 29.10.2010 15:29, schrieb Mark Thomas:
On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
Completely. If you have a scheme that
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in server.xml (or
context.xml for that matter) for database resources is a complete waste
of time.
Agreed. If the hacker is already
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian)
Use encryption
http://java.sys-con.com/node/393364
Sorry, that just moves the problem. The article completely ignores the issue
of where to put the decryption key
wrote:
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian)
Use encryption
http://java.sys-con.com/node/393364
Sorry, that just moves the problem. The article completely ignores the issue
of where to put the decryption key
On 30/10/2010 13:27, Caldarale, Charles R wrote:
P.S. Interesting that the author of that article was using a Tomcat already
three years old at the time of publication; doesn't really help the somewhat
questionable credibility. (Reference implementations shouldn't be used in
production?
On 30/10/2010 15:19, Darryl Lewis wrote:
Well so far all this discussion has done is to make me realise that tomcat
should not be used in an environment that requires security.
If cracking an app will let you get passwords on another box, that is weak
security.
You are missing the point.
On 30/10/2010 12:59, Mladen Turk wrote:
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in server.xml (or
context.xml for that matter) for database resources is a complete waste
On 30/10/2010 18:27, Mark Thomas wrote:
On 30/10/2010 15:19, Darryl Lewis wrote:
Well so far all this discussion has done is to make me realise that tomcat
should not be used in an environment that requires security.
If cracking an app will let you get passwords on another box, that is weak
, that is weak
security.
On 30/10/10 11:27 PM, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian)
Use encryption
http://java.sys-con.com/node/393364
Sorry
If cracking an app will let you get passwords on another box, that is weak
security.
On 30/10/10 11:27 PM, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian)
That's why we encrypt passwords in unix, or haven't you
looked at etc/passwd lately?
No, we encrypt them in Linux because the (very outmoded) /etc/passwd file
On 10/30/2010 11:11 PM, Darryl Lewis wrote:
Yeah, well reasoned rebuttal therenot.
That's why we encrypt passwords in unix, or haven't you looked at etc/passwd
lately?
Have *you* ever looked at the etc/passwd?
First of all it is not encrypted. It contains a hash value of the password
so
On 10/30/2010 07:28 PM, Mark Thomas wrote:
On 30/10/2010 12:59, Mladen Turk wrote:
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in server.xml (or
context.xml for that matter)
On 29/10/2010 10:57, Christoph Kukulies wrote:
How can I run tomcat under a different user than root (debian e.g.)?
Use a service wrapper.
http://tomcat.apache.org/tomcat-6.0-doc/setup.html#Unix_daemon
p
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description:
2010/10/29 Christoph Kukulies k...@kukulies.org:
How can I run tomcat under a different user than root (debian e.g.)?
How do you run it now? Nobody should run Tomcat as root.
Best regards,
Konstantin Kolinko
-
To
No one should, but I had a supplier recommend to run their application as root.
All their scripts and configuration instructions were for running as root.
Needless to say I didn't run it as that and rewrote their installation scripts.
Now I have to try and convince them that storing the database
On 29/10/2010 12:03, Darryl Lewis wrote:
No one should, but I had a supplier recommend to run their application as
root. All their scripts and configuration instructions were for running as
root.
Needless to say I didn't run it as that and rewrote their installation
scripts.
Now I have to
On 29/10/2010 12:03, Darryl Lewis wrote:
Now I have to try and convince them that storing the database connection
username and passwords in plaintext are a bad idea...
I trust that the supplier replies that there is nothing wrong with this
approach.
The most you'll ever be able to achieve is
Encrypt the username and passwords using Realm configuration.
You should always assume there is the possibility that a user will get
access to the system via a badly written program. Whilst they might get some
system access, you should make it as difficult as possible for them to jump
to the next
Are you serious?
Why do we bother with SSL then? Lets just send everything in clear text...
On 29/10/10 11:03 PM, Mark Thomas ma...@apache.org wrote:
On 29/10/2010 12:03, Darryl Lewis wrote:
Now I have to try and convince them that storing the database connection
username and passwords in
On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
Completely. If you have a scheme that encrypts the database username and
password in server.xml and provides genuine additional security over and
above limiting access to server.xml to the user running Tomcat (and
root) I'd love to hear
From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
Subject: Re: running tomcat6 under a different user than root (debian)
Are you serious?
Definitely. Think it through.
Why do we bother with SSL then? Lets just send
everything in clear text...
Perhaps you failed to notice
On 29/10/2010 14:18, Darryl Lewis wrote:
Encrypt the username and passwords using Realm configuration.
Realms have nothing to do with the usernames and passwords used to
connect to databases defined via Resource tags.
You should always assume there is the possibility that a user will get
On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
If Tomcat has access to a database and the attacker has access to a
shell prompt (or similar) with the same privileges as Tomcat then the
attacker has access to the database and there is absolutely nothing you
can do to prevent that.
In
On 29/10/2010 14:42, Rainer Frey wrote:
On Friday 29 October 2010 15:34:29 Mark Thomas wrote:
If Tomcat has access to a database and the attacker has access to a
shell prompt (or similar) with the same privileges as Tomcat then the
attacker has access to the database and there is absolutely
If you have a webapp where users log in you can use there login/password to
login on the database. A little bit inconvenient for the DBA but you don't have
passwords on your servers.
Ronald.
Op vrijdag, 29 oktober 2010 15:42 schreef Rainer Frey rainer.f...@inxmail.de:
On Friday 29
On 29/10/2010 14:53, Ronald Klop wrote:
If you have a webapp where users log in you can use there login/password
to login on the database. A little bit inconvenient for the DBA but you
don't have passwords on your servers.
It isn't quite that clear cut. There are some trade-offs to make with
39 matches
Mail list logo
