Thanks Doug and Tim for the input. -----Original Message----- From: Parsons Technical Services [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 27, 2004 11:04 AM To: Tomcat Users List Subject: Re: How to Secure my Passwd Info from server.xml file? Cathy and list, I have been running this one through my head and have a couple of hang-ups. Since in this case tomcat is acting as the client then the use of encrypted would only work if you unencrypt it to send it. If the hacker can read the server.xml then he has the access to the code that does the unencryption. Obstructification would help here but not be totally secure. As some of you know and others don't, the way an encrypted password work is this: When the password is set in the first place it is run through an algorithm that encrypts it. Then when you enter a password to access whatever the system then encrypts your input with the same algorithm and compares the results. If it matches then you in. Now since Tomcat is acting as a client, TOMCAT is SENDING the password attempt to be encrypted and compared. If it was a simple solution to unencrypt the password to send it, then the whole idea of encrypted password would be a waste in that everyone could simply unencrypt the password. The fundamental idea behind encrypted passwords is that they are very difficult to unencrypt. Most password crackers have a brute force sections which simply encrypts every possible combination of characters and does the compare. So the first line of defense is to prevent the person from getting to the file, as mentioned in other emails. If there are people that you do not trust with access to the protected files then your security policy has some major flaws in it. Locking the glovebox in a car is useless if you give the thief the keys to the ignition. And to ask it another way, do you lock the glovebox in your car just in case someone breaks in? So my point is lock the car first(protect the file). If they break in the car(hack the box/file), then you have much bigger problems than this password. If they have the key and you don't trust them, take away the key! The best place to put a password is in plain site. If you want a little trickery to mess with there mind the try this. Simply create a password that appears to be encrypted. As noted in an email on this thread from Tim Funk "just security through obscurity." JSO97J6HH4VHT3FFC92K39K Now enter that as the password in the database. Most people looking at this will think it is encrypted and second would find it very hard to remember. For applications such as this, always use the maximum length of password and create it from random strokes. You don't have to remember it so it doesn't matter. Just my $0.02 worth. Sorry for the long rant, just had to get it off my chest. Doug ----- Original Message ----- From: "Cathy Hui" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, March 26, 2004 5:16 PM Subject: RE: How to Secure my Passwd Info from server.xml file? I probably didn't state my question more clearly. What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that? Thanks for the reply! Cathy -----Original Message----- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM To: Tomcat Users List Subject: RE: How to Secure my Passwd Info from server.xml file? Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions. If you come up with something nice and generic, it'd be a nice donation to tomcat ;) Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: Cathy Hui [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 25, 2004 1:41 PM >To: [EMAIL PROTECTED]; tomcat-user- >[EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- >[EMAIL PROTECTED] >Subject: How to Secure my Passwd Info from server.xml file? > >I am trying to solve a security issue with my webapp. We are using >tomcat's connection pooling for our webapp. The database username and >password be specified in the server.xml file (as shown below). > >Is there a way to encrypt the password, and tomcat should decrypt the >password before establishing the database connection. We are trying to >do this without changing the tomcat code itself. Is it a setting in >tomocat, or is there a 3rd party software? > >Any suggestions/solutions are appreciated. Thanks ><Resource name="jdbc/iOQDB" auth="Container" >type="javax.sql.DataSource"/> <ResourceParams name="jdbc/iOQDB"> ><parameter> ><name>username</name> ><value>myuser</value> ></parameter> ><parameter> ><name>password</name> ><value>mypassword</value> ></parameter> ></ResourceParams> > >Thanks! > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
