This discussion comes up on the Tomcat mailing list at least every few months, and it always ends the same way.
The passwords are in a configuration file. That configuration file lives with the application. So, for example, if the application is a web app the configuration file lives on the web app server or a server it has access to. Either way, if a hacker gets a hold of that configuration file, it's because they've breached your firewall/server protection systems and it's game over anyway. There's really no use in making efforts to protect passwords in these configuration files. Any effort to do so just adds a _false_ sense of security, which is more dangerous than no security at all. Nick On Aug 19, 2013, at 9:54 AM, Gary Gregory wrote: > On Mon, Aug 19, 2013 at 10:52 AM, Gary Gregory <[email protected]> wrote: > On Mon, Aug 19, 2013 at 10:34 AM, Ralph Goers <[email protected]> wrote: > I'm not sure how this applies to what you are suggesting, but we should avoid > passwords being in clear text in the configuration. I would suggest using a > standard plugin interface similar to what I did with the secret key provider > in the Flume Appender. > > We should at the last offer something like > http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords > > So perhaps we need a boolean password attribute on PluginElement and > PluginAttribute > > Gary > > > Gary > > > Ralph > > On Aug 19, 2013, at 7:29 AM, Gary Gregory <[email protected]> wrote: > >> On Mon, Aug 19, 2013 at 10:25 AM, Paul Benedict <[email protected]> wrote: >> Do you need the password ever after authentication? >> >> I guess it depends on whether the code handles re-auth in case of a >> disconnect. >> >> Gary >> >> >> >> On Mon, Aug 19, 2013 at 8:55 AM, Gary Gregory <[email protected]> wrote: >> On Mon, Aug 19, 2013 at 7:27 AM, Ralph Goers <[email protected]> wrote: >> What passwords? >> >> For example: >> >> - org.apache.logging.log4j.core.net.SMTPManager.FactoryData.password >> - org.apache.logging.log4j.core.net.JMSTopicManager.password >> - org.apache.logging.log4j.core.net.JMSQueueManager.FactoryData.password >> >> Gary >> >> Ralph >> >> On Aug 19, 2013, at 4:22 AM, Gary Gregory <[email protected]> wrote: >> >>> I've seen it done many places: Should we track passwords internally as >>> char[] instead of String for ivars. >>> >>> This prevents Log4j spilling your secrets by accident in a toString to >>> internal log call. >>> >>> Gary >>> >>> -- >>> E-Mail: [email protected] | [email protected] >>> Java Persistence with Hibernate, Second Edition >>> JUnit in Action, Second Edition >>> Spring Batch in Action >>> Blog: http://garygregory.wordpress.com >>> Home: http://garygregory.com/ >>> Tweet! http://twitter.com/GaryGregory >> >> >> >> >> -- >> E-Mail: [email protected] | [email protected] >> Java Persistence with Hibernate, Second Edition >> JUnit in Action, Second Edition >> Spring Batch in Action >> Blog: http://garygregory.wordpress.com >> Home: http://garygregory.com/ >> Tweet! http://twitter.com/GaryGregory >> >> >> >> -- >> Cheers, >> Paul >> >> >> >> -- >> E-Mail: [email protected] | [email protected] >> Java Persistence with Hibernate, Second Edition >> JUnit in Action, Second Edition >> Spring Batch in Action >> Blog: http://garygregory.wordpress.com >> Home: http://garygregory.com/ >> Tweet! http://twitter.com/GaryGregory > > > > > -- > E-Mail: [email protected] | [email protected] > Java Persistence with Hibernate, Second Edition > JUnit in Action, Second Edition > Spring Batch in Action > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory > > > > -- > E-Mail: [email protected] | [email protected] > Java Persistence with Hibernate, Second Edition > JUnit in Action, Second Edition > Spring Batch in Action > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory
