We have the people who deploy to our servers use the AES routines from http://www.bouncycastle.org/
and create encrypted username and passwords to place in the server.xml or web.xml and then decrypt in the java. Have not kept up to date on what routines sun provides in its packages these days. Of course you have to store the keys some place, keystore I guess would be the best, and if someone is capable of spending enough time on your server to track down all the file locations needed to crack the code, you have other worries. This does not solve any insecure transmission to and from the database but with luck you have that behind a firewall. Jeff -----Original Message----- From: Mohamed Tagari [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:05 AM To: Tomcat Users List Subject: Re: security of server.xml HI, the database contains sensitive information and so the password and username should not be available even as a read only.. Due to the sensitivity of the data it could be seen viable to recompile the code, and redeploy your application. mo On Thu, 5 Jun 2003, John Turner wrote: > > Well, if you put in code, then every time it changes you need to recompile > your code, and redeploy your application. > > If you put it in server.xml, you don't ever have to do that. > > The security on server.xml is easy: > > chmod 700 TOMCAT_USER > > TOMCAT_USER = whatever user Tomcat runs as > > John > > On Thu, 5 Jun 2003 10:40:21 +0100 (BST), Mohamed Tagari <[EMAIL PROTECTED]> > wrote: > > > Hi, > > > > Is there any way of taking the password and username for connecting to a > > database out of the server.xml, and placing it in code before the lookup > > is done on this?? As having the username and password as plain text is > > not very secure.. > > > > // java code > > Context init = new InitialContext(); > > Context ctx = (Context) init.lookup("java:comp/env"); > > DataSource ds = (DataSource) ctx.lookup("jdbc/myoracle"); > > > > > > > > // extract from server.xml > > <Resource name="jdbc/myoracle" auth="Container" > > type="javax.sql.DataSource"/> > > > > <ResourceParams name="jdbc/myoracle"> > > . > > . > > . > > <parameter> > > <name>username</name> > > <value>scott</value> > > </parameter> > > <parameter> > > <name>password</name> > > <value>tiger</value> > > </parameter> > > . > > . > > </ResourceParams> > > > > mo > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
