On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific that trying to encrypt usernames and passwords in server.xml (or context.xml for that matter) for database resources is a complete waste of time.
Agreed. If the hacker is already logged in with the same uid, there isn't much you can do. However that make me wonder why are we keeping the passwords in memory unencrypted. I suppose we should do at least some memory cleansing for any intermediate security related processing product. On unixes the memory is uid readable, but windows will basically allow any user to dump any process memory. In that case server.xml can have correct ACL set up, but one will still be able to search for a well known locations in memory. Regards -- ^TM --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org