Sorry, as has been pointed out my response isn't correct. Digesting the
passwords is supported - see the docs. Where encrypting passwords is not
supported is for external resources such as databases.

Mark

> -----Original Message-----
> From: Mark Thomas [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 25, 2005 9:44 PM
> To: 'Tomcat Users List'; [EMAIL PROTECTED]
> Subject: RE: Securing Manager Role
> 
> This is not supported because there is simply no point.
> 
> If someone can read the tomcat-users.xml file then they 
> almost certainly own the
> server and you have bigger problems than someone having 
> access to the manager
> app.
> 
> Consider if the password was encrypted, where is the 
> decryption key stored?
> There is no point putting it in the Tomcat code since it is 
> open source (and
> even if it wasn't it would still be bad security). You could 
> put it in a
> separate file, but if an attacker can read tomcat-users.xml, 
> there is no reason
> to suppose they won't be able to read the file with the key.
> 
> Mark
> 
> > -----Original Message-----
> > From: Nehal Sangoi [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, October 24, 2005 10:05 AM
> > To: 'Tomcat Users List'
> > Subject: Securing Manager Role
> > 
> > 
> > Hi,
> > 
> > How can i encrypt the manager user's password in 
> > tomcat-users.xml file? I
> > need to keep manager-deployer thing be secured in my environment.
> > 
> > Thanks & Regards,
> > Nehal
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to