Re: any standart way to keep passwords encripted???
How can I mantain databases passwords without : - Being put in the code (arg) - Being in plain text in server.xml (as configured for tomcat) I use another approache than the pool from tomcat, that consist in a separate servlet and a PoolManager, which is accessed in a static way. (so other apps can reference the same instance...). In the servlet I read the init properties from web-xml that follows a pattern (poolname1,dbuser1,dbpass1, and so on for all pools). In the application I just as for the pool by the name of it. It works and I can change the pool implementation without impacting in any code of the application. We are thinking in not let the password in plain text in the web.xml. I though of 2 approaches: - Read the web.xml by a standalone app and encript the password, in my connection servlet I read it and decritp it. - Have a separate file for each pool, this file,encripted, would contain info about each pool. BTW, is there any way to use the same pool for more than one app, using tomcat pool configuration ??? thanks in advance Emerson Emerson Cargnin wrote: Is there any standart way to keep the passwords of databases encripted when creating a pool through tomcat? -- Emerson Cargnin Analista de Sistemas Setor de Desenvolvimento de Sistemas - TRE-SC tel : (048) - 251-3700 - Ramal 3181 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: any standart way to keep passwords encripted???
Emerson, > - Being in plain text in server.xml (as configured for tomcat) Protect the file with permissions. > - Read the web.xml by a standalone app and encript the password, in my > connection servlet I read it and decritp it. > > - Have a separate file for each pool, this file,encripted, would contain > info about each pool. If I can read the server.xml then I can read your .class file the decrypts it and thus can still get your password. > > BTW, is there any way to use the same pool for more than one app, using > tomcat pool configuration ??? GlobalNamingResources Search the archives for both of these subjects as they have been discussed often. Doug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: any standart way to keep passwords encripted???
Parsons Technical Services wrote: Emerson, - Being in plain text in server.xml (as configured for tomcat) Protect the file with permissions. - Read the web.xml by a standalone app and encript the password, in my connection servlet I read it and decritp it. - Have a separate file for each pool, this file,encripted, would contain info about each pool. If I can read the server.xml then I can read your .class file the decrypts it and thus can still get your password. I still can use certificate to encript decript... BTW, is there any way to use the same pool for more than one app, using tomcat pool configuration ??? GlobalNamingResources Search the archives for both of these subjects as they have been discussed often. Doug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Emerson Cargnin Analista de Sistemas Setor de Desenvolvimento de Sistemas - TRE-SC tel : (048) - 251-3700 - Ramal 3181 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: any standart way to keep passwords encripted???
Hi. I've had some time to think about this subject especially since others have brought it up before. The real honest to goodness problem is that eventually you'll need to deal with a password. That's just unavoidable. You could encrypt the password, but that would just need another password to decrypt it before making it useful. Even SSL has a server.key file (the server's private key) that needs to be guarded with the highest security available. The only really secure way to deal with it and not have a plain text password hanging around somewhere is to possibly have the admin enter the password on startup. I don't know about you, but I'm not crazy about babysitting a server or having the site down until I can sit at a console and put in a password :-(. Just properly secure the server.xml (or context.xml) file with read only access and only for the user tomcat is launched as. Also make sure it's in a place guaranteed not to be served out by any means. I have mine in /etc/tomcat5 and symlinked the conf directory in tomcat to /etc/tomcat5. Lastly, look at ways to limit the impact of a compromised password (firewalls, ACL's, change passwords on a routine basis, minimum privilege, etc, ...). Just my three cents on the matter. It's Friday -- time for happy hour. --David Smith, CISSP Emerson Cargnin wrote: How can I mantain databases passwords without : - Being put in the code (arg) - Being in plain text in server.xml (as configured for tomcat) I use another approache than the pool from tomcat, that consist in a separate servlet and a PoolManager, which is accessed in a static way. (so other apps can reference the same instance...). In the servlet I read the init properties from web-xml that follows a pattern (poolname1,dbuser1,dbpass1, and so on for all pools). In the application I just as for the pool by the name of it. It works and I can change the pool implementation without impacting in any code of the application. We are thinking in not let the password in plain text in the web.xml. I though of 2 approaches: - Read the web.xml by a standalone app and encript the password, in my connection servlet I read it and decritp it. - Have a separate file for each pool, this file,encripted, would contain info about each pool. BTW, is there any way to use the same pool for more than one app, using tomcat pool configuration ??? thanks in advance Emerson Emerson Cargnin wrote: Is there any standart way to keep the passwords of databases encripted when creating a pool through tomcat? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: any standart way to keep passwords encripted???
> > If I can read the server.xml then I can read your .class file the decrypts > > it and thus can still get your password. > I still can use certificate to encript decript... And if I am in control of the server, then I have access to that certificate as well. The point is simply that with proper permissions your password is as safe as it needs to be. If someone gets to it, you have way bigger problems on your hands. Doug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: any standart way to keep passwords encripted???
On Sat, 2004-04-03 at 02:10, Parsons Technical Services wrote: > And if I am in control of the server, then I have access to that certificate > as well. > > The point is simply that with proper permissions your password is as safe as > it needs to be. If someone gets to it, you have way bigger problems on your > hands. you could always use a smartcard or usb crypto dongle, such that the private key never gets out... however, you still need to establish a session with the key and that needs a password. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]