On 30/10/2010 15:19, Darryl Lewis wrote: > Well so far all this discussion has done is to make me realise that tomcat > should not be used in an environment that requires security. > If cracking an app will let you get passwords on another box, that is weak > security.
You are missing the point. There is no way to achieve what you are trying to achieve using encryption. Tomcat has to be able to access a plain-text form of the username and password in order to use them to connect to the database. If the Tomcat process can do this then an attacker that has compromised the Tomcat process can do this. You could use a security manager to limit what a compromised application can do. The downside is writing apps that run under a security manager is hard. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org