On 30/10/2010 18:27, Mark Thomas wrote: > On 30/10/2010 15:19, Darryl Lewis wrote: >> Well so far all this discussion has done is to make me realise that tomcat >> should not be used in an environment that requires security. >> If cracking an app will let you get passwords on another box, that is weak >> security. > > You are missing the point. There is no way to achieve what you are > trying to achieve using encryption. Tomcat has to be able to access a > plain-text form of the username and password in order to use them to > connect to the database. If the Tomcat process can do this then an > attacker that has compromised the Tomcat process can do this.
Oh, and if it wasn't obvious this applies to *any* application server. If they claim anything different then all you will be getting is security by obscurity. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org