Thanks for the quick reply George!
We could, but the data is still available, in this case a file, versus in
the output of "ps -ef | grep java". We can obviously encrypt the sensitive
information.
One idea, in order to support injecting Environment Variables would be to
support a syntax of
${env.DB_USER}
where if the subsitution property starts with "env", then the variable
could be retrieve by System.getEnv(...) otherwise System.getProperty(...).
On Mon, Jan 22, 2018 at 10:19 PM, George Stanchev <gstanc...@serena.com>
wrote:
> Can you use catalina.properties? From the docs [1]
>
> " All system properties are available including those set using the -D
> syntax, those automatically made available by the JVM and those configured
> in the $CATALINA_BASE/conf/catalina.properties file."
>
> [1] https://tomcat.apache.org/tomcat-7.0-doc/config/index.html
>
>
> -----Original Message-----
> From: Algirdas Veitas [mailto:apvei...@gmail.com]
> Sent: Monday, January 22, 2018 4:02 PM
> To: users@tomcat.apache.org
> Subject: Using Environment variables instead of Java -D properties for
> context.xml substitution
>
> Hi,
>
> We have a context.xml under $TOMCAT_HOME/conf that looks like this:
>
> <Resource name="jdbc/theDB"
> auth="Container"
> type="javax.sql.DataSource"
> username="${DB_USERNAME}"
> password="${DB_PASSWORD}"
> driverClassName="oracle.jdbc.OracleDriver"
> validationQuery="select 1 from dual"
> testOnBorrow="true"
> url="${DB_URL}"
> />
>
> if we do something like this in setenv.sh, the substitution works great
>
> export DB_USERNAME=xyz
> export DB_PASSWORD=vvv
>
> export JAVA_OPTS="$JAVA_OPTS -DDB_USERNAME=$DB_USERNAME"
> export JAVA_OPTS="$JAVA_OPTS -DDB_PASSWORD=$DB_PASSWORD"
>
> However, if on a linux box, if someone did a "ps -ef | grep java", they
> would be able to see the actual values of these parameters.
>
> theuser 127734 1 0 Jan19 ? 00:04:39 /opt/java/bin/java
> -Djava.util.logging.config.file=/opt/mis/apps/jaspersoft/
> tomcat/apache-tomcat/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -DDB_USERNAME=xyz
> -DDB_PASSWORD=vvv
>
> Which our operations team does not want....
>
> Is there any syntax that Tomcat can recognize to substitute true
> environment variables (i.e. export DB_USERNAME=xyz) as opposed to Java
> properties injected into the JVM by -D (i.e. export
> DB_USERNAME=$DB_USERNAME) ? Haven't been able to find any documentation
> on it, but thought would ask.
>
> Thanks in advance,
> Al
>
