Tomcat JDBC configuration does not encrypt the database password

Mon, 26 Oct 2015 04:23:46 -0700 

In the JNDI DataSource HowTo page, it describes how to configure the DataSource 
in the application Context. I see that the password is not encrypted. Is there 
any way to configure this with an encrypted password?

A JDBC resource is configured like this in the documentation:

<Resource name="jdbc/TestDB" auth="Container" type="javax.sql.DataSource"
               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
               username="javauser" password="javadude" 
driverClassName="com.mysql.jdbc.Driver"
               url="jdbc:mysql://localhost:3306/javatest"/>

>From 
>https://tomcat.apache.org/tomcat-8.0-doc/jndi-datasource-examples-howto.html#MySQL_DBCP_Example

Other people facing the same problem have written their own extension of a  
DataSourceFactory, adding their own encryption feature. See this pages below.

How to Secure Tomcat Database Passwords for Java
"In production environments there are features of Tomcat that don't pass 
security audit reviews"
http://websphere.sys-con.com/node/393364

Encrypting database passwords (in Tomcat)
http://www.jdev.it/encrypting-passwords-in-tomcat/

Regards
Dave Cronin

Dave Cronin | Software Quality Assurance Executive | VocaLink
+44 (0)203 818 4423 (direct) | +44 (0)870 165 0019 (switchboard)
dave.cro...@vocalink.com<mailto:dave.cro...@vocalink.com> | 
www.vocalink.com<https://vocalink.jiveon.com/external-link.jspa?url=http://www.vocalink.com/>





*****************************************************
This email is issued by VocaLink, a VocaLink group company.

The VocaLink group of companies includes VocaLink Limited (Company No 06119048, 
VAT No. 907 9619 87) which is registered in England with their registered 
office at Drake House, Homestead Road, Rickmansworth, WD3 1FX United Kingdom.   
More information about the VocaLink group of companies may be found at 
http://www.vocalink.com/about-us/governance.aspx  

This message is confidential to the original addressee.  This message and any 
attachments have been scanned for viruses prior to leaving the VocaLink group 
network; however, VocaLink does not guarantee the security of this message and 
will not be responsible for any damages arising as a result of any virus being 
passed on or arising from any alteration of this message by a third party. The 
VocaLink group may monitor emails sent to and from the VocaLink group network.

*************************************************************

Reply via email to