Experiencing what???
--- Micael Padraig Og mac Grene <[EMAIL PROTECTED]> wrote: > Are you experiencing the same thing? > -----Original Message----- > From: Timothy Fisher <[EMAIL PROTECTED]> > To: Tomcat Users List > <[EMAIL PROTECTED]> > Date: Thursday, November 01, 2001 12:47 PM > Subject: Re: Form authentication/ password changing > > > >Craig, > > > >I agree with all of your comments. From the tomcat > >access perspective, your correct, flat file vs. DB > >storage of users/passwords may be roughly > equivalent > >in terms of how secure that is. > > > >But, if you ignore tomcat, and just consider the > >usernames and passwords sitting out there, I would > >argue that they are more vulnerable sitting in a > flat > >file than in a database. But I"m sure this could > be > >debated on an on... > > > >Tim > > > >--- "Craig R. McClanahan" <[EMAIL PROTECTED]> > wrote: > >> > >> > >> On Thu, 1 Nov 2001, Timothy Fisher wrote: > >> > >> > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST) > >> > From: Timothy Fisher <[EMAIL PROTECTED]> > >> > Reply-To: Tomcat Users List > >> <[EMAIL PROTECTED]> > >> > To: Tomcat Users List > >> <[EMAIL PROTECTED]> > >> > Subject: Re: Form authentication/ password > >> changing > >> > > >> > There is a sample tomcat-users.xml included > with > >> > tomcat 4.0 in the conf directory. Just follow > >> this > >> > format. Yes, the file must be in this format, > >> unless > >> > you write your own connector. > >> > > >> > >> Yep. > >> > >> > The server containing the tomcat-users file > >> definitely > >> > must be protected. Yes, this is less secure > than > >> > storing the users/passwords in a > >> directory/database. > >> > > >> > >> It's hard to talk about "more secure" or "less > >> secure" unless we define > >> how you measure this :-). However, I would > suggest > >> that this is not > >> necessarily true. > >> > >> First, under all circumstances, you should run > >> Tomcat under a username > >> other than root. That username must (obviously) > >> have read access to the > >> files in the "conf" directory. But, *no* other > >> users on the server should > >> be able to read those files. This allows you to > >> leverage your operating > >> system's standard protection for files. > >> > >> Second, let's assume that we put the users in a > >> database instead, and > >> configure JDBCRealm to have Tomcat talk to it. > If > >> you examine the > >> configuration parameters you have to set up in > >> "conf/server.xml", you will > >> note that you have to specify the database > username > >> and password -- so you > >> are *still* depending on limiting access to the > >> configuration files, even > >> if you take this approach. That doesn't sound > "more > >> secure" to me. > >> > >> (An approach that would qualify as "more secure" > >> would be to challenge the > >> system administrator for a password when Tomcat > is > >> started up. Some > >> progress towards building such stuff has taken > place > >> with regards to the > >> "keystore" files used for SSL certificates, but > not > >> yet for database > >> passwords. And, you have to balance the security > >> with the extra hassle > >> that you cannot script a startup of Tomcat > without > >> having someone around > >> to answer the password prompt.) > >> > >> > Tim > >> > > >> > >> Craig > >> > >> > >> -- > >> To unsubscribe: > >> > <mailto:[EMAIL PROTECTED]> > >> For additional commands: > >> <mailto:[EMAIL PROTECTED]> > >> Troubles with the list: > >> <mailto:[EMAIL PROTECTED]> > >> > > > > > >__________________________________________________ > >Do You Yahoo!? > >Make a great connection at Yahoo! Personals. > >http://personals.yahoo.com > > > >-- > >To unsubscribe: > <mailto:[EMAIL PROTECTED]> > >For additional commands: > <mailto:[EMAIL PROTECTED]> > >Troubles with the list: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe: > <mailto:[EMAIL PROTECTED]> > For additional commands: > <mailto:[EMAIL PROTECTED]> > Troubles with the list: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
