Jonathan Cobb wrote:
>
> [snip]
>
> I think the idea of removing passwords from config files, or at least
> having the option to do so, is a great one. Keep us posted on the
> status of your module. :)
Will do. Actually, the general feeling at this point is step back and
implement a more comprehensive solution to ALL external resource
security. This would include SSL keystore passwords, JDBC Realm
passwords, LDAP, etc. Users would then have the option of removing _all_
sensitive data from the config files, and instead having them stored in
an encrypted respository. I had hoped to have an unofficial, stopgap SSL
prompter in the meantime, but the changes required to the container
itself initially proved to be to involved just to get one single hack.
Larry Isaacs and I have been trying to get a generic module for
SSL-prompting up and running for the 3.3 space, and he's recently come
up with a rather clever idea for the startup integration conundrum. I'm
in the process of trying to integrate his solution with my command-line
utility in order to provide a temporary solution for SSL security in the
3.3 space, so if you're running Tomcat 3.3 and are concerned about the
keystore password in particular, you may have a temporary workaround
soon. Aside from that, I'd like to see the comprehensive external
security module (codename LitterBox) in a stable state within the next
thirty days or so. A few people have expressed an interest in
contributing to it, so I think that timeframe is doable. I'll keey you
posted =)
Regards,
Christopher
