SHA encrypting of passwords in server.xml/tomcat-users.xml files
I learned how to do this last week and I am enjoying the ease of setup in order to accomplish this. However, I would like to expand on this a bit further and use the SHA encrypting with my database password (the one used in Tomcat's connection pooling). Is this possible? If so, can someone lead me in the right direction? Thank you. -- Marc Farrow
Re: SHA encrypting of passwords in server.xml/tomcat-users.xml files
Marc Farrow wrote: I learned how to do this last week and I am enjoying the ease of setup in order to accomplish this. However, I would like to expand on this a bit further and use the SHA encrypting with my database password (the one used in Tomcat's connection pooling). Is this possible? If so, can someone lead me in the right direction? It isn't possible. This comes up a lot so I will try and explain why. Starting with the Tomcat users example where you can use hashed passwords: - Tomcat stores the hashed password - User enters protected area of website - Tomcat prompts for password - User enters it - Tomcat hashes entered password and compares to stored hash In this scenario, if someone obtains the hashed password it is relatively little use on its own since it is difficult to go from hashed password to plain text password. Moving on to the database password case: - Tomcat connects to database - Database prompts for password - Tomcat reads password from config - Tomcat provides password to database - Database allows Tomcat access In this second case Tomcat is the client rather than the server and therefore needs the plain-text password in order to pass it to the database. Hashing the password doesn't help since Tomcat must use the actual password to access the database. Encrypting doesn't help either, since Tomcat would have to decrypt it to use it, which means the decryption key must be accessible to Tomcat. If the decryption key is accessible to Tomcat then it will be accessible to whoever has access to the encrypted password too. Therefore the encryption would be pointless. Which brings me on to a much more important point. *If someone has got enough access to your server to read server.xml and/or tomcat-users.xml you have much bigger problems*. Your server is totally compromised at this point. An attacker could do pretty much whatever they wanted. With this level of control over a server there are more options for an attacker than I have time to list here. Suffice to say, encrypting the users passwords isn't going to help at all. Hope this helps, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SHA encrypting of passwords in server.xml/tomcat-users.xml files
This helps a lot. I am not worried about hackers getting into our system so much as programmers reading the XML file and getting a privileged password. Not a big deal, we can just captivate the account and keep immoral programmers out. Thanks! On 4/17/06, Mark Thomas [EMAIL PROTECTED] wrote: Marc Farrow wrote: I learned how to do this last week and I am enjoying the ease of setup in order to accomplish this. However, I would like to expand on this a bit further and use the SHA encrypting with my database password (the one used in Tomcat's connection pooling). Is this possible? If so, can someone lead me in the right direction? It isn't possible. This comes up a lot so I will try and explain why. Starting with the Tomcat users example where you can use hashed passwords: - Tomcat stores the hashed password - User enters protected area of website - Tomcat prompts for password - User enters it - Tomcat hashes entered password and compares to stored hash In this scenario, if someone obtains the hashed password it is relatively little use on its own since it is difficult to go from hashed password to plain text password. Moving on to the database password case: - Tomcat connects to database - Database prompts for password - Tomcat reads password from config - Tomcat provides password to database - Database allows Tomcat access In this second case Tomcat is the client rather than the server and therefore needs the plain-text password in order to pass it to the database. Hashing the password doesn't help since Tomcat must use the actual password to access the database. Encrypting doesn't help either, since Tomcat would have to decrypt it to use it, which means the decryption key must be accessible to Tomcat. If the decryption key is accessible to Tomcat then it will be accessible to whoever has access to the encrypted password too. Therefore the encryption would be pointless. Which brings me on to a much more important point. *If someone has got enough access to your server to read server.xml and/or tomcat-users.xml you have much bigger problems*. Your server is totally compromised at this point. An attacker could do pretty much whatever they wanted. With this level of control over a server there are more options for an attacker than I have time to list here. Suffice to say, encrypting the users passwords isn't going to help at all. Hope this helps, Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow
