I am working on something similar to this. I need the password that will unlock a PKCS12 file, and what I have done is embed tomcat in a C application. I have the C code prompt for the password, and then pass the password to the JVM via the Invocation API. Since Java has no good way of reading in a password from a terminal that I know of, this was the only solution that I could come up with.
On a side note, I have only gotten this to work with the tomcat 4.x series. So if anyone can offer some help with regards to embedding tomcat 5.x, I would appreciate it. On another note, if anyone knows of a better way to handle the password entry problem, please let me know. I think a few people have issues with passwords in the clear, no matter what the permissions of the file are. thank you. -------Original Message------- > From: Tim Funk <[EMAIL PROTECTED]> > Subject: Re: How to Secure my Passwd Info from server.xml file? > Sent: 27 Mar 2004 14:02:48 > > No there is no way currently. The problem the password needs decoded and no > method to do this securely has been proposed. Other vendors might do this but > they probably just use a proprietary encoding algorthm which is just security > through obscurity. > > The recommended workaorund now is: > 1) Custom realm - so your implementation encryption can be a "secret" > 2) Make server.xml read-only for the userid needing to run tomcat and let no > one have access to that box with that ID > > > -Tim > > Cathy Hui wrote: > > I probably didn't state my question more clearly. > > > > What I actually want to encrypt is the dblogin passwd, not the user > > login to tomcat. Is there a way to do that? > > > > Thanks for the reply! > > > > Cathy > > > > > > > > -----Original Message----- > > From: Shapira, Yoav [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 25, 2004 10:49 AM > > To: Tomcat Users List > > Subject: RE: How to Secure my Passwd Info from server.xml file? > > > > > > > > Hi, > > No, you have to write a custom realm for this. A couple of others have > > asked in the past, so you may wish to search the archives to see if they > > posted their solutions. > > > > If you come up with something nice and generic, it'd be a nice donation > > to tomcat ;) > > > > Yoav Shapira > > Millennium Research Informatics > > > > > > > >>-----Original Message----- > >>From: Cathy Hui [mailto:[EMAIL PROTECTED] > >>Sent: Thursday, March 25, 2004 1:41 PM > >>To: [EMAIL PROTECTED]; tomcat-user- > >>[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- > >>[EMAIL PROTECTED] > >>Subject: How to Secure my Passwd Info from server.xml file? > >> > >>I am trying to solve a security issue with my webapp. We are using > >>tomcat's connection pooling for our webapp. The database username and > >>password be specified in the server.xml file (as shown below). > >> > >>Is there a way to encrypt the password, and tomcat should decrypt the > >>password before establishing the database connection. We are trying to > >>do this without changing the tomcat code itself. Is it a setting in > >>tomocat, or is there a 3rd party software? > >> > >>Any suggestions/solutions are appreciated. Thanks > >><Resource name="jdbc/iOQDB" auth="Container" > >>type="javax.sql.DataSource"/> <ResourceParams name="jdbc/iOQDB"> > >><parameter> > >><name>username</name> > >><value>myuser</value> > >></parameter> > >><parameter> > >><name>password</name> > >><value>mypassword</value> > >></parameter> > >></ResourceParams> > >> > >>Thanks! > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -------Original Message-------
