Am 22.02.2017 um 11:19 schrieb Martin Knoblauch:
On Tue, Feb 21, 2017 at 8:55 PM, Mark Thomas <ma...@apache.org> wrote:
On 21/02/2017 13:31, Martin Knoblauch wrote:
Hi,
is there a way to find the absolute path of the application root before
the servlet is initialized?
Alternatively: is there a way to defer the initialization of a datasource
until the servlet is initialized?
Background: I have extended "org.apache.tomcat.jdbc.pool.
DataSourceFactory"
to automatically set credentials so that they are not stored in the
"Catalina/localhost/XXX.xml" file. Instead they are taken from encrypted
values in a file below the application root. Works fine if I know that
path
at "createDataSource" time.
And the decryption key for that file is stored where?
https://wiki.apache.org/tomcat/FAQ/Password
Thanks for link. It clearly reflects my opinion as well, but the customer
demand is:
- no plain-text credentials (Big multinational company security policies -
fight them if you need the fun). And yes, this is all about making auditors
happy
- minimize the locations where credentials are stored. This is only lightly
related to the decrypt issue. Having to store identical stuff in more than
one place is opening up all other sorts of practical issues
So, yes - any mechanism that can decrypt needs to store the key somewhere
and this just shifts away the problem from securing one item to securing
another one. In my case the application (that I will not reveal here)
stores encrypted DB credentials in its configuration and provides an API to
retrieve them decrypted. I guess, the key is somewhere in the source code
(likely obfuscated to prevent casual hacking by debugging). the less I know
... :-)
In order to avoid hard coding that path, I need a programmatic to find
that
value. Unfortunately the datasource is initialized before the servlet, so
"getRealPath()" is not working yet.
Environment is Tomcat 8 plus JDK 8. Plus an commercial application that I
do not want to name :-)
Ignoring what I suspect is a fundamental flaw in this plan, you probably
want a ServletContextListener and contextInitialized()
Thanks again for the hint. Will have a look. In the meanwhile I found a
way by looking at
this.getClass().getProtectionDomain().getCodeSource().getLocation().getPath();
Adding some assumptions about the classpath (which are required to be true
in this whole context) this gives me the needed information :-)
Thanks
Martin
Mark
I could imagine that the use of a secure key-value store would be
helpfull in this scenario.
vault is a great solution for this. quick googling [1] brings a tomcat
implementation for vault.
If youre not allready familiar with vault, give it a try [2].
Daniel
[1] https://github.com/januslabs/tomcat-vault
[2] https://www.hashicorp.com/vault.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
