The authentication values (user name, user role and password) are not stored
in the web.xml file. They are stored in your database which tables
presumably can be password protected. What is in the web.xml file is
configuration info concerning the resources that are to be protected, what
roles have access to them and the level of security that applies to the
resources.
The servlet needing authentication protection does not need access to
web.xml at all so the file can be owned by root (or not) with the server
running as root and having access to it.
I believe all this accomplishes the objective stated in your third point
below.
Hope this helps., If not I'm afraid I'm out of ideas.
--
Tom Woteki, a.k.a. Dr. Wo
mail to:<[EMAIL PROTECTED]>
202-544-2743 (fax)
http://www.woteki.com/wines <-- a pure Java, Apache-Tomcat web application
running under MacOSX
> user/password the servlet uses to access the database. If the values
> are simply stored in web.xml, what is to prevent anyone with access to
> the system from reading the web.xml file and compromising the database
> On the other hand, if web.xml is root
> protected (i.e., need root privileges to read it), other than running
> the servlet as root, how do I read the file. That's the quandry.
> What I need is a similar mechanism of securing the
> servlet's credentials against unauthorized access while still enabling
> the servlet to read them up.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
