RE: security of server.xml in tomcat
Just a thought, I can't see how having the username and password in code
is any more secure. Prying eyes could have equal access to both.
Chad Johnson
Web Services Developer
WS Packaging - Wisconsin Label
Tel:(920)487-6271
-Original Message-
From: Mohamed Tagari [mailto:[EMAIL PROTECTED]
Sent: Monday, June 09, 2003 9:32 AM
To: [EMAIL PROTECTED]
Subject: security of server.xml in tomcat
Hi,
Is there any way of instantiating the password and username
parameters for connecting to a database in the application code rather
than having it as plain text in the server.xml.
As having the username and password as plain text is not
very secure..
Any help/information will be apprectiated..
The database will be containing sensitive information, hence all
passwords
and usernames have to be protected..
// java code
Context init = new InitialContext();
Context ctx = (Context) init.lookup("java:comp/env"); DataSource ds =
(DataSource) ctx.lookup("jdbc/myoracle");
// extract from server.xml
.
.
.
username
scott
password
tiger
.
.
mo
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security of server.xml in tomcat
On Monday, June 9, 2003, at 03:31 PM, Mohamed Tagari wrote: Hi, Is there any way of instantiating the password and username parameters for connecting to a database in the application code rather than having it as plain text in the server.xml. As having the username and password as plain text is not very secure.. Any help/information will be apprectiated.. ok store the username/password as an encrypted text string and use the JAAS API to a: encrypt it in the first place, and b: read it back into the the application from the encrypted text string in the server.xml file. I was looking into this myself (not using tomcat but in another Oracle/Java project), but the time it would take for me to implement and test the secure/encrypted version (2 days including test) was deemed to be not worthwhile. C'est la vie. Kev username scott password tiger especially the default scott/tiger :) -- "To be governed is to be watched over, inspected, spied on, directed, legislated..." - Pierre-Joseph Proudhon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security of server.xml in tomcat
Also depends on from whom you want to hide the credentials. If it's from
web client, then based on servlet specifications "The files inside the
WEB-INF folder cannot be accessible by the web client". If you want to
protect from console access users then you can protect by defining
access rights to the web deployment.
ST
On Mon, 2003-06-09 at 14:42, Chad Johnson wrote:
> Just a thought, I can't see how having the username and password in code
> is any more secure. Prying eyes could have equal access to both.
>
> Chad Johnson
> Web Services Developer
> WS Packaging - Wisconsin Label
> Tel:(920)487-6271
>
>
> -Original Message-
> From: Mohamed Tagari [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 09, 2003 9:32 AM
> To: [EMAIL PROTECTED]
> Subject: security of server.xml in tomcat
>
>
> Hi,
>
> Is there any way of instantiating the password and username
> parameters for connecting to a database in the application code rather
> than having it as plain text in the server.xml.
>
> As having the username and password as plain text is not
> very secure..
>
> Any help/information will be apprectiated..
>
> The database will be containing sensitive information, hence all
> passwords
> and usernames have to be protected..
>
> // java code
> Context init = new InitialContext();
> Context ctx = (Context) init.lookup("java:comp/env"); DataSource ds =
> (DataSource) ctx.lookup("jdbc/myoracle");
>
>
>
> // extract from server.xml
>type="javax.sql.DataSource"/>
>
>
> .
> .
> .
>
> username
> scott
>
>
> password
> tiger
>
> .
> .
>
>
> mo
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
Sri Thuraisamy <[EMAIL PROTECTED]>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
