RE: DB-password clear text - what alternatives?

[Derek Hohls]

Chris   Thanks - the code is very clear... just one small problem : I am still using Cocoon 1.8 (and am likely to for a while, for various reasons) - would this also work in that version?   Derek >>> [EMAIL PROTECTED] 29/08/2001 10:55:23 >>> Hi Derek, The cocoon.xconf file is the main cocoon 2 configuration file and it is located in the <cocoon>/webapp directory. I use connection pooling to access my database and I describe the connection in my cocoon.xconf file: <datasources>     <jdbc name="my_connection">         <dburl>jdbc:mysql://localhost:3306/my_database_name</dburl>         <user>my_db_user</user>         <password>not_telling_you</password>     </jdbc> </datasources> Then in each XSP page that accesses the database I do not need to put my database name or password into the page, I just specify the connection that is described in cocoon.xconf: <esql:connection>     <esql:pool>my_connection</esql:pool>         <esql:execute-query>             <esql:query>                 blah blah blah .... 'localhost' is an alias for the IP address 127.0.0.1 which refers to the local machine. i.e. the database server is on the same machine as cocoon 2. Hope this helps, Best Regards, Chris -----Original Message----- From: Derek Hohls [mailto:[EMAIL PROTECTED]] Sent: 29 August 2001 07:21 To: [EMAIL PROTECTED] Subject: DB-password clear text - what alternatives? Please expand on the hints below... there are few areas that are not clear to me yet - at the moment all my passwords are stored in the xml file that makes the calls to the db  e.g.   String DBPass = "password"; ...   <esql:password><xsp:expr>DBPass</xsp:expr></esql:password> and I am worried that as the xml file is readable (normally, indirectly, but there are no guarantees here), that someone could find a way of displaying its contents. What is a ' localhost loopback' and what/where is the 'cocoon.xconf' and how would you use either/both to replace the above system?  Please include code snippets if at all possible... Thanks Derek >>> [EMAIL PROTECTED] 28/08/2001 10:38:55 >>> On Tue, Aug 28, 2001 at 11:21:45AM +0200, Enke Michael wrote: > Hi! > Is there a possibility or would it be > easy to implement to have the DB password > encrypted in some kind (in *.xsp or cocoon.xconf)? as long as the direct JDBC connection requires plaintext passwords (and yes all existing JDBC driver implementations require plaintext) it's absolutely useless to add encryption to another layer. anyway passwords are stored in a file on the server and JDBC connection is usually made via localhost loopback, therefore password sniffing is almost impossible and cocoon.xconf or whichever file the password actually contains is not readable by ordinary users via web... > This doesn't mean a state of the art > encryption (too complicated!?), but only > that not everybody can have direct access > to the database. don't get this, if there is a password that only admin knows, then anyone who does not know it does not have the access to the database or am I wrong ??? > > Regards, > Michael > rgds, martin -- ---------------------------------------------------------------------------- --- "Only dead fish swims with a stream"                         Malcolm Muggeridge gpg_key_available: http://globales.cz/~mman/martin.man.gpg gpg_key_fingerprint: 2CC0 4AF6 92DA 5CBF 5F09  7BCB 6202 7024 6E06 0223 --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faqs.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]> --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faqs.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>