Re: Tomcat JDBC configuration does not encrypt the database password

2015-10-26 Thread Christopher Schultz 
Dave,

On 10/26/15 7:22 AM, Dave Cronin wrote:
> In the JNDI DataSource HowTo page, it describes how to configure the
> DataSource in the application Context. I see that the password is not
> encrypted. Is there any way to configure this with an encrypted password?
> 
> A JDBC resource is configured like this in the documentation:
> 
> maxTotal="100" maxIdle="30" maxWaitMillis="1"
>username="javauser" password="javadude" 
> driverClassName="com.mysql.jdbc.Driver"
>url="jdbc:mysql://localhost:3306/javatest"/>
> 
>>From 
>>https://tomcat.apache.org/tomcat-8.0-doc/jndi-datasource-examples-howto.html#MySQL_DBCP_Example
> 
> Other people facing the same problem have written their own 
> extension of a DataSourceFactory, adding their own encryption
> feature. See this pages below.
> 
> How to Secure Tomcat Database Passwords for Java
> "In production environments there are features of Tomcat that don't pass 
> security audit reviews"
> http://websphere.sys-con.com/node/393364
> 
> Encrypting database passwords (in Tomcat)
> http://www.jdev.it/encrypting-passwords-in-tomcat/

http://wiki.apache.org/tomcat/FAQ/Password

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat JDBC configuration does not encrypt the database password

2015-10-26 Thread Dave Cronin 
In the JNDI DataSource HowTo page, it describes how to configure the DataSource 
in the application Context. I see that the password is not encrypted. Is there 
any way to configure this with an encrypted password?

A JDBC resource is configured like this in the documentation:



>From 
>https://tomcat.apache.org/tomcat-8.0-doc/jndi-datasource-examples-howto.html#MySQL_DBCP_Example

Other people facing the same problem have written their own extension of a  
DataSourceFactory, adding their own encryption feature. See this pages below.

How to Secure Tomcat Database Passwords for Java
"In production environments there are features of Tomcat that don't pass 
security audit reviews"
http://websphere.sys-con.com/node/393364

Encrypting database passwords (in Tomcat)
http://www.jdev.it/encrypting-passwords-in-tomcat/

Regards
Dave Cronin

Dave Cronin | Software Quality Assurance Executive | VocaLink
+44 (0)203 818 4423 (direct) | +44 (0)870 165 0019 (switchboard)
dave.cro...@vocalink.com | 
www.vocalink.com





*
This email is issued by VocaLink, a VocaLink group company.

The VocaLink group of companies includes VocaLink Limited (Company No 06119048, 
VAT No. 907 9619 87) which is registered in England with their registered 
office at Drake House, Homestead Road, Rickmansworth, WD3 1FX United Kingdom.   
More information about the VocaLink group of companies may be found at 
http://www.vocalink.com/about-us/governance.aspx  

This message is confidential to the original addressee.  This message and any 
attachments have been scanned for viruses prior to leaving the VocaLink group 
network; however, VocaLink does not guarantee the security of this message and 
will not be responsible for any damages arising as a result of any virus being 
passed on or arising from any alteration of this message by a third party. The 
VocaLink group may monitor emails sent to and from the VocaLink group network.

*

Re: encrypt the database password

2012-05-24 Thread Filip Hanik Mailing Lists 
yes, there is, search http://tomcat.markmail.org for the same
org.apache.tomcat.util.digester.PROPERTY_SOURCE
is a system property where you can add the code that digests properties in 
server.xml
This code can 'decode' your encoded properties



- Original Message -
> From: "Bill Wang" 
> To: "Tomcat Users List" 
> Sent: Wednesday, May 23, 2012 11:34:10 PM
> Subject: encrypt the database password
> 
> Hi All,
> 
> There is a tomcat server with some database setup.
> 
> cd apache-tomcat-6.0.29/conf
> cat server.xml
> 
>driverClassName="oracle.jdbc.driver.OracleDriver"
> 
>   factory="oracle.jdbc.pool.OracleDataSourceFactory"
> maxActive="20"
>   maxIdle="10" maxWait="-1" name="jdbc/abc"
>   password="abcADMIN"
>   type="oracle.jdbc.pool.OracleDataSource"
> 
> url="jdbc:oracle:thin:@localhost:1521:mydb" user="abc" />
> 
> 
> So which the plain password, end user may get the password directly.
> 
> 
> How can create encrypted password within server.xml
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: encrypt the database password

2012-05-23 Thread Caldarale, Charles R 
> From: Bill Wang [mailto:bw57...@gmail.com] 
> Subject: encrypt the database password

> So which the plain password, end user may get the password directly.

Only if you don't bother to protect access to your Tomcat server.  And if you 
don't do that, you've got much, much bigger problems than someone discovering 
the DB password.

> How can create encrypted password within server.xml

It's amazing how often this inept question comes up.  If you encrypt the 
password in server.xml, how do you expect Tomcat to open data base connections? 
 Read the FAQ:

http://wiki.apache.org/tomcat/FAQ/Password

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

encrypt the database password

2012-05-23 Thread Bill Wang 
Hi All,

There is a tomcat server with some database setup.

cd apache-tomcat-6.0.29/conf
cat server.xml

  


So which the plain password, end user may get the password directly.


How can create encrypted password within server.xml