The only feasible alternative (which isn't present in tomcat) is too force a password to be entered by keyboard on tomcat startup to allow decryption of passwords. (Like protected keys for ssl)
-Tim
Curley, Thomas wrote:
I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on unix file level security - what happens if a hacker gets root priv's ?
thanks
Thomas
-----Original Message----- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: 26 November 2003 13:51 To: Tomcat Users List Subject: Re: Security Hole - server.xml
The username and password still need decrypted at some time. It just makes the attacker jump through 1 hoop.
Using file permissions on the config file as well and server security are the ways to go.
-Tim
Curley, Thomas wrote:
Hi all,
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username', 'password' or at least encrypt them using someting like MD5
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
*********************************************************************************************
This email and any attachments are confidential and intended for the sole use of the intended recipient(s).If you receive this email in error please notify [EMAIL PROTECTED] and delete it from your system. Any unauthorized dissemination, retransmission, or copying of this email and any attachments is prohibited. Euroconex does not accept any responsibility for any breach of confidence, which may arise from the use of email. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. This message has been scanned for known computer viruses. *********************************************************************************************
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
