The username and password still need decrypted at some time. It just makes
the attacker jump through 1 hoop.
Using file permissions on the config file as well and server security are the
ways to go.
-Tim
Curley, Thomas wrote:
Hi all,
A direct question arising from a security review :-
Subject: Re: Security Hole - server.xml
The username and password still need decrypted at some time. It just makes
the attacker jump through 1 hoop.
Using file permissions on the config file as well and server security are the
ways to go.
-Tim
Curley, Thomas wrote:
Hi all,
A direct question
Funk [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:51
To: Tomcat Users List
Subject: Re: Security Hole - server.xml
The username and password still need decrypted at some time. It just makes
the attacker jump through 1 hoop.
Using file permissions on the config file as well and server security
if a hacker gets root
priv's ?
thanks
Thomas
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:51
To: Tomcat Users List
Subject: Re: Security Hole - server.xml
The username and password still need decrypted at some time. It just makes
Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 8:53 AM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
I'd feel more secure with an MD5 or SHA1 encrypted user and password that relying on
unix file level security - what happens
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username',
'password' or at least encrypt them using someting like MD5
The Password can be digested. See
The link below is for users logging-in (FORM or BASIC). Not for database
connections.
-Tim
[EMAIL PROTECTED] wrote:
A direct question arising from a security review :-
Using a datasource it is possible to remove the 'username',
'password' or at least encrypt them using someting like MD5
The
2003 13:51
To: Tomcat Users List
Subject: Re: Security Hole - server.xml
The username and password still need decrypted at some time.
It just makes
the attacker jump through 1 hoop.
Using file permissions on the config file as well and server
security are the
ways to go.
-Tim
, but if they have some brains will get through
eventually.
Greg
thanks
Thomas
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 13:51
To: Tomcat Users List
Subject: Re: Security Hole - server.xml
The username and password still need decrypted
to server.xml
Thomas
-Original Message-
From: Bob Jacoby [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 17:10
To: [EMAIL PROTECTED]
Subject: RE: Security Hole - server.xml
I consider things like this. By encrypting the password I'm protecting against casual
learning
have MD5 to store your
passwords with.
Justin
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:13 PM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
Note - in reply to Justin - I don't have a multi-tier login
So
thanks for your time Justin - I will look into this - T
-Original Message-
From: Hart, Justin [mailto:[EMAIL PROTECTED]
Sent: 26 November 2003 18:17
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
Well, right, but if you were to inherit from the realm that you wanted
No prob, good luck.
-Original Message-
From: Curley, Thomas [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 26, 2003 1:21 PM
To: Tomcat Users List
Subject: RE: Security Hole - server.xml
thanks for your time Justin - I will look into this - T
-Original Message-
From: Hart
Well, if you put in code, then every time it changes you need to recompile
your code, and redeploy your application.
If you put it in server.xml, you don't ever have to do that.
The security on server.xml is easy:
chmod 700 TOMCAT_USER
TOMCAT_USER = whatever user Tomcat runs as
John
On Thu,
TC 3.3.x has a variable-replacement option, which is very nice for this sort
of thing. Unfortunately, it hasn't been ported to TC 4.x.
Mohamed Tagari [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
Is there any way of taking the password and username for connecting to a
HI,
the database contains sensitive information and so the password and
username should not be available even as a read only..
Due to the sensitivity of the data it could be seen viable to recompile
the code, and redeploy your application.
mo
On Thu, 5 Jun 2003, John Turner wrote:
Well,
Java code can be decompiled. Easily.
Rogue classes can be inserted into improperly configured packages. There's
plenty more.
If your UNIX-like OS is unstable enough to allow a file owned by root with
permissions of 700 be viewable to various untrusted users, you've got
bigger concerns on
Is your book out? I couldn't find in local bookstore.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 6, 2003 2:19 PM
To: Tomcat Users List
Subject: Re: security of server.xml
Java code can be decompiled. Easily.
Rogue classes can be inserted into improperly
On Fri, 6 Jun 2003 14:24:34 -0400, Phillip Qin [EMAIL PROTECTED] wrote:
Is your book out? I couldn't find in local bookstore.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 6, 2003
2:19 PM
To: Tomcat Users List
Subject: Re: security of server.xml
Java code can
the database but
with luck you have that behind a firewall.
Jeff
-Original Message-
From: Mohamed Tagari [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 9:05 AM
To: Tomcat Users List
Subject: Re: security of server.xml
HI,
the database contains sensitive information and so
20 matches
Mail list logo