On 30/10/2010 12:59, Mladen Turk wrote: > On 10/29/2010 03:29 PM, Mark Thomas wrote: >> >> I never said passwords should never be protected. I was quite specific >> that trying to encrypt usernames and passwords in server.xml (or >> context.xml for that matter) for database resources is a complete waste >> of time. >> > > Agreed. If the hacker is already logged in with the same uid, > there isn't much you can do. > However that make me wonder why are we keeping the passwords > in memory unencrypted. I suppose we should do at least some memory > cleansing for any intermediate security related processing product.
Unfortunately the database password for a database resource needs to be available throughout the life of the Tomcat process. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
