On 30 Oct 2010, at 15:20, Darryl Lewis <darryl.le...@unsw.edu.au> wrote:
> Well so far all this discussion has done is to make me realise that tomcat > should not be used in an environment that requires security. Complete nonsense. p > If cracking an app will let you get passwords on another box, that is weak > security. > > > On 30/10/10 11:27 PM, "Caldarale, Charles R" <chuck.caldar...@unisys.com> > wrote: > >> From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] >> Subject: Re: running tomcat6 under a different user than root (debian) > >> Use encryption >> http://java.sys-con.com/node/393364 > > Sorry, that just moves the problem. The article completely ignores the issue > of where to put the decryption key - which must be in plain text somewhere. > As Mark pointed out, obfuscation != security. > > - Chuck > > P.S. Interesting that the author of that article was using a Tomcat already > three years old at the time of publication; doesn't really help the somewhat > questionable credibility. (Reference implementations shouldn't be used in > production? Where did he get that one?) > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org