Thank Chris, Totally I agree with you On Tue, Oct 23, 2018 at 6:03 PM Will Nordmeyer <quark...@gmail.com> wrote:
> Chris, > > I understand all of that and am working all those concerns to the > PTB... but as with many management situations reality doesn't fit with > the "security" mindset. > On Tue, Oct 23, 2018 at 10:59 AM Christopher Schultz > <ch...@christopherschultz.net> wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Will, > > > > On 10/23/18 10:44, Will Nordmeyer wrote: > > > I'm currently running Tomcat 7 (will likely migrate to 8 or 9 in > > > the next year). I tried working with Oracle on this with no > > > success. > > > > > > We have an Oracle Database connection defined within our web.xml > > > (see below). We need to convert to using 2 Factor (certificate?) > > > based Authentication. > > > > > > How do we convert from our embedded username password to 2FA > > > > Uhh... > > > > How would you enter your second-factor into the server? During service > > startup? What happens if the connection times-out and you have to > > re-authenticate? Do you want to be paged in the middle of the night to > > re-enter your 2FA code? How about 10 times per hour on 100 different > > servers? > > > > 2FA doesn't make any sense at all for services contacting other > > services. 2FA makes sense for humans contacting services because > > humans are so much worse at password management, social engineering > > resistance, etc. > > > > If you have a segment of your IT team mandating 2FA for database > > connections (even for services), tell them that THEY have to use THEIR > > 2FA credentials to unlock the database for YOUR services. See how long > > that policy survives. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvPN1UACgkQHPApP6U8 > > pFgyzA//b2S8wolPV9oj9rnXikgcY+aKsWsO1eDOQ89lHLNAW/vZXXBp+imE15ec > > Ow211CgpoHvePTF6apUq0iW4zBi8xTil9ZbHHW8dcFICGtBrhOMvwzT6TBIJyPVw > > KJF/l3f1VBBDKyfuwmdHENuakRQazvT9dnd9YBN5QTzGvkYVaGmh6gEm4u/gz+bF > > Bncfb9ThLvPGKhNsS8mPlCS8bc/NDzjWPqaI+nQQWs2paSNHYEkgj7x0zSV0KOUV > > HmuhRdahcAm2Tmxd6uLdQtoizO+SvX7N6emPg0UPG1I0+pKoklWVhQsSahKG1a3f > > 9rmvaAXjiOdNFnxO6bwKWI6Q/2quJdV+77QA0MbqGMLngC38WlLfzIcB7ryfyhoh > > SwwNeCn6AkYaQ7AwdmaskTKW1QCB/k34KmcBzbxsf2V3ChWVDDHxqlzHGkg0P7DO > > Ctd8OAdWuhAErUxuXlNd3JOJqflOENtCB9WMPy5i2N71dZlnPhK/OUjtoE3U4dEj > > WiynhDHuOcXXOPo4+QuhvDBNoat/todKqh5SCVkEonSx/dPSTwMbpKkCdSwM7oTT > > dcYXEA+gb2fHIsARP6bsWDdxwhfuIhPWCtI/BVFYaXSeeVpSuUp4IF0/g3Geh26s > > w3IFH6aP95P8t+vxeIBnwdFDZddot4VbWCJOEOJSmgqP39OcHg4= > > =baEw > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
