Sorry, as has been pointed out my response isn't correct. Digesting the passwords is supported - see the docs. Where encrypting passwords is not supported is for external resources such as databases.
Mark > -----Original Message----- > From: Mark Thomas [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 25, 2005 9:44 PM > To: 'Tomcat Users List'; [EMAIL PROTECTED] > Subject: RE: Securing Manager Role > > This is not supported because there is simply no point. > > If someone can read the tomcat-users.xml file then they > almost certainly own the > server and you have bigger problems than someone having > access to the manager > app. > > Consider if the password was encrypted, where is the > decryption key stored? > There is no point putting it in the Tomcat code since it is > open source (and > even if it wasn't it would still be bad security). You could > put it in a > separate file, but if an attacker can read tomcat-users.xml, > there is no reason > to suppose they won't be able to read the file with the key. > > Mark > > > -----Original Message----- > > From: Nehal Sangoi [mailto:[EMAIL PROTECTED] > > Sent: Monday, October 24, 2005 10:05 AM > > To: 'Tomcat Users List' > > Subject: Securing Manager Role > > > > > > Hi, > > > > How can i encrypt the manager user's password in > > tomcat-users.xml file? I > > need to keep manager-deployer thing be secured in my environment. > > > > Thanks & Regards, > > Nehal > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
