On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org> wrote:
> On 21/02/2017 13:31, Martin Knoblauch wrote: > > Hi, > > > > is there a way to find the absolute path of the application root before > > the servlet is initialized? > > > > Alternatively: is there a way to defer the initialization of a datasource > > until the servlet is initialized? > > > > Background: I have extended "org.apache.tomcat.jdbc.pool. > DataSourceFactory" > > to automatically set credentials so that they are not stored in the > > "Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted > > values in a file below the application root. Works fine if I know that > path > > at "createDataSource" time. > > And the decryption key for that file is stored where? > > https://wiki.apache.org/tomcat/FAQ/Password > > Thanks for link. It clearly reflects my opinion as well, but the customer demand is: - no plain-text credentials (Big multinational company security policies - fight them if you need the fun). And yes, this is all about making auditors happy - minimize the locations where credentials are stored. This is only lightly related to the decrypt issue. Having to store identical stuff in more than one place is opening up all other sorts of practical issues So, yes - any mechanism that can decrypt needs to store the key somewhere and this just shifts away the problem from securing one item to securing another one. In my case the application (that I will not reveal here) stores encrypted DB credentials in its configuration and provides an API to retrieve them decrypted. I guess, the key is somewhere in the source code (likely obfuscated to prevent casual hacking by debugging). the less I know ... :-) > In order to avoid hard coding that path, I need a programmatic to find > that > > value. Unfortunately the datasource is initialized before the servlet, so > > "getRealPath()" is not working yet. > > > > Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I > > do not want to name :-) > > Ignoring what I suspect is a fundamental flaw in this plan, you probably > want a ServletContextListener and contextInitialized() > > Thanks again for the hint. Will have a look. In the meanwhile I found a way by looking at this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath(); Adding some assumptions about the classpath (which are required to be true in this whole context) this gives me the needed information :-) Thanks Martin > Mark > >
