Chuck, You have a very valid point.
Right now we have the tomcat instance running as a tomcat:tomcat user and group. I realize that we are perhaps being a bit paranoid but the original reason for obfuscating the password was in case someone found an exploit within tomcat itself and gained shell access with tomcat privileges. What could they do at that point? Read things like server.xml... Again perhaps that is a being a bit paranoid. But that is what security is all about. :) -Dennis -----Original Message----- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 5:47 PM To: Tomcat Users List Subject: RE: can JNDIRealm connectionPassword be encrypted? > From: Klotz Jr, Dennis [mailto:[EMAIL PROTECTED] > Subject: RE: can JNDIRealm connectionPassword be encrypted? > > To me and my co-workers that login still represents a large > security risk if someone can gain access to the file > server.xml. If someone can gain access to server.xml, you essentially have a complete breakdown of security for that system. If you don't trust your file system to protect against unauthorized intrusion, any other security considerations are moot. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
