If saving your passwords (or really any sensitive information) in any kind of a system whether it is a flat file (txt, XML, etc) or a database there is no sure way of keeping this safe. So use as many measures as you can without comprimising usability. This way if the OS gets comprimised and the file is availabe they wont be able to readily read your information. Especially necessary if you're not hosting your own server. The admins aren't supposed to look in your files but you can't be too trusting and you're relying on their ability to keep the system secure.
The basic idea I have seen is that you use whatever security the OS/Database can give you (like you have) as well as an encryption scheme when saving the data. This can be simply your own function which can encrypt / decrypt what you store or retrieve from the XML file, or you can go as in depth as you want and use some major encryption schemes. Hope this helps, Matt Quoting Geeta Ramani <[EMAIL PROTECTED]>: > Hi all: > > The subject says it all: currently I am storing information that my > connection pool uses like database URL, username and password in the > web.xml > as init-params. I thought that if I secured WEB-INF with go-rwx, this > is > secure. But in a recent code-review this has been brought into > question. > So here are my questions: > > 1. Am I deluding myself that this is safe? > 2. If so, is there some way that any of you has solved the problem? > > I looked in the archives, but all the dicussion with passwords seems > to > be around the issue of encryting un/pw pairs entered in a browser, for > which, of course, SSL and one way encryption can be used. I mention > this > so my question is not misunderstood. > > Thanks very much! > Geeta > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: > http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
