Craig, I agree with all of your comments. From the tomcat access perspective, your correct, flat file vs. DB storage of users/passwords may be roughly equivalent in terms of how secure that is.
But, if you ignore tomcat, and just consider the usernames and passwords sitting out there, I would argue that they are more vulnerable sitting in a flat file than in a database. But I"m sure this could be debated on an on... Tim --- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > > > On Thu, 1 Nov 2001, Timothy Fisher wrote: > > > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST) > > From: Timothy Fisher <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List > <[EMAIL PROTECTED]> > > To: Tomcat Users List > <[EMAIL PROTECTED]> > > Subject: Re: Form authentication/ password > changing > > > > There is a sample tomcat-users.xml included with > > tomcat 4.0 in the conf directory. Just follow > this > > format. Yes, the file must be in this format, > unless > > you write your own connector. > > > > Yep. > > > The server containing the tomcat-users file > definitely > > must be protected. Yes, this is less secure than > > storing the users/passwords in a > directory/database. > > > > It's hard to talk about "more secure" or "less > secure" unless we define > how you measure this :-). However, I would suggest > that this is not > necessarily true. > > First, under all circumstances, you should run > Tomcat under a username > other than root. That username must (obviously) > have read access to the > files in the "conf" directory. But, *no* other > users on the server should > be able to read those files. This allows you to > leverage your operating > system's standard protection for files. > > Second, let's assume that we put the users in a > database instead, and > configure JDBCRealm to have Tomcat talk to it. If > you examine the > configuration parameters you have to set up in > "conf/server.xml", you will > note that you have to specify the database username > and password -- so you > are *still* depending on limiting access to the > configuration files, even > if you take this approach. That doesn't sound "more > secure" to me. > > (An approach that would qualify as "more secure" > would be to challenge the > system administrator for a password when Tomcat is > started up. Some > progress towards building such stuff has taken place > with regards to the > "keystore" files used for SSL certificates, but not > yet for database > passwords. And, you have to balance the security > with the extra hassle > that you cannot script a startup of Tomcat without > having someone around > to answer the password prompt.) > > > Tim > > > > Craig > > > -- > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > For additional commands: > <mailto:[EMAIL PROTECTED]> > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
