How to protect the plain text username and password in the server.xml
Dears, We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it is a financial system. An internal audit indicated that we should not use plain text username and password in the server.xml, as: Is there a way to use encrypted username and password in the server.xml file? Or, use the username and password as parameters of the startup command, instead of leaving them as plain text in the server.xml? Thanks, Roy Qiao - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect the plain text username and password in the server.xml
It is possible to define the element as an entity in server.xml: |http://somewhere.com/resource.xml";>| and then replace the Resource element with the entity: &|secure_resource Because the entity resolves to an external source, this source can be generated dynamically, by a script for example. This script could potentially be limited in execution to the tomcat user/instance. Other users who can possibly read the script that generates the the username/password, but not execute it, cannot get the username/password. Regards, Simon | On 29/10/10 10:19, 彬 乔 wrote: > Dears, > > We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it > is a financial system. An internal audit indicated that we should not use > plain text username and password in the server.xml, as: > > username="user" > password="password" > ... > /> > > Is there a way to use encrypted username and password in the server.xml file? > Or, use the username and password as parameters of the startup command, > instead of leaving them as plain text in the server.xml? > > Thanks, > > Roy Qiao > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to protect the plain text username and password in the server.xml
On 29/10/2010 10:19, 彬 乔 wrote: > Dears, > > We are using Tomcat 5.5.20 in a RHEL 64bit box. The application running on it > is a financial system. An internal audit indicated that we should not use > plain text username and password in the server.xml, as: > > username="user" > password="password" > ... > /> > > Is there a way to use encrypted username and password in the server.xml file? > Or, use the username and password as parameters of the startup command, > instead of leaving them as plain text in the server.xml? Just set the permissions of the file to be read-only for the user that runs Tomcat, and restrict access to that user. chmod 600 server.xml If the user (say 'tomcat') doesn't have a login shell, then only root will be able read that file. Encrypting passwords in server.xml is largely a waste of time. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
