On 10/30/2010 07:28 PM, Mark Thomas wrote:
On 30/10/2010 12:59, Mladen Turk wrote:
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in server.xml (or
context.xml for that matter) for
On 10/30/2010 11:11 PM, Darryl Lewis wrote:
Yeah, well reasoned rebuttal therenot.
That's why we encrypt passwords in unix, or haven't you looked at etc/passwd
lately?
Have *you* ever looked at the etc/passwd?
First of all it is not encrypted. It contains a hash value of the password
so yo
> From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
> Subject: Re: running tomcat6 under a different user than root (debian)
> That's why we encrypt passwords in unix, or haven't you
> looked at etc/passwd lately?
No, we encrypt them in Linux because the (very outmoded) /etc/passwd file is
Yeah, well reasoned rebuttal therenot.
That's why we encrypt passwords in unix, or haven't you looked at etc/passwd
lately? Are you going to tell me that is complete nonsense?
According to your 'argument' that is 'security by obscurity'. You better break
that to the GNU crowd gently.
Having a
On 30 Oct 2010, at 15:20, Darryl Lewis wrote:
> Well so far all this discussion has done is to make me realise that tomcat
> should not be used in an environment that requires security.
Complete nonsense.
p
> If cracking an app will let you get passwords on another box, that is weak
> secu
On 30/10/2010 18:27, Mark Thomas wrote:
> On 30/10/2010 15:19, Darryl Lewis wrote:
>> Well so far all this discussion has done is to make me realise that tomcat
>> should not be used in an environment that requires security.
>> If cracking an app will let you get passwords on another box, that is
On 30/10/2010 12:59, Mladen Turk wrote:
> On 10/29/2010 03:29 PM, Mark Thomas wrote:
>>
>> I never said passwords should never be protected. I was quite specific
>> that trying to encrypt usernames and passwords in server.xml (or
>> context.xml for that matter) for database resources is a complete
On 30/10/2010 15:19, Darryl Lewis wrote:
> Well so far all this discussion has done is to make me realise that tomcat
> should not be used in an environment that requires security.
> If cracking an app will let you get passwords on another box, that is weak
> security.
You are missing the point.
On 30/10/2010 13:27, Caldarale, Charles R wrote:
> P.S. Interesting that the author of that article was using a Tomcat already
> three years old at the time of publication; doesn't really help the somewhat
> questionable credibility. (Reference implementations shouldn't be used in
> production
Well so far all this discussion has done is to make me realise that tomcat
should not be used in an environment that requires security.
If cracking an app will let you get passwords on another box, that is weak
security.
On 30/10/10 11:27 PM, "Caldarale, Charles R" wrote:
> From: Darryl Lewis
to solve will need
web.xml
all .jsp
*.wsdl
all java files
Martin
__
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich
> From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au]
> Subject: Re: running tomcat6 under a different user than root (debian)
> Use encryption
> http://java.sys-con.com/node/393364
Sorry, that just moves the problem. The article completely ignores the issue
of where to put the decryption key
On 10/29/2010 03:29 PM, Mark Thomas wrote:
I never said passwords should never be protected. I was quite specific
that trying to encrypt usernames and passwords in server.xml (or
context.xml for that matter) for database resources is a complete waste
of time.
Agreed. If the hacker is already
Use encryption
http://java.sys-con.com/node/393364
On 30/10/10 8:41 PM, "Pid" wrote:
> On 30/10/2010 09:19, Christoph Kukulies wrote:
>> Am 29.10.2010 15:29, schrieb Mark Thomas:
>>> On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
>>> Completely. If you have a scheme that encrypt
On 30/10/2010 11:49, Pid wrote:
How can I solve this problem?
If your APR really is 1.2.9, then I suspect that you need to upgrade
your APR to a newer version. Version 1.4.2 was released 2010-04-04.
APR is not the problem here. If it were then it wouldn't load at all.
I would also recomm
On 06/10/2010 17:20, Samuel Hofer wrote:
> Hi,
>
> I'm trying to install Apache Tomcat 6.0.29 on a Debian GNU/Linux 5.0.4
> 32bit with kernel release 2.6.26-2-686 with APR and SSL.
>
> JDK 1.6.0_21
> APR 1.2.9
> OpenSSL 0.9.8
>
> There seems to be a problem with the Tomcat Native library 1.1.20:
On 26/10/2010 03:42, ww...@ogcio.gov.hk wrote:
>
> Dear Sir/Madam,
>
> Recently it has been checked that there is security vulnerability for
> the tomcat (version 5.0.9) shipped with the JBoss 4.0.3SP1.
>
> From the link below, it is recommended to upgrade to 5.5.28.
>
> http://marc.info/?l=tom
On 30/10/2010 09:19, Christoph Kukulies wrote:
> Am 29.10.2010 15:29, schrieb Mark Thomas:
>> On 29/10/2010 14:19, Darryl Lewis wrote:
>>> Are you serious?
>> Completely. If you have a scheme that encrypts the database username and
>> password in server.xml and provides genuine additional security
On 29/10/2010 11:49, alok kakani wrote:
>>
>> Hi All,
>>
>> I am working Business Objects 3.1(BOE) with tomcat being the application
>> server. I am new to the web application part, hence i had some doubts
>>
>> We are trying to step up a BOE on 2 machines & we will have tomcat
>> installed on both
On 29/10/2010 17:15, M.Arkhypov wrote:
>
> Dear Chuck,
>
> thank you for your attention and reply,
>
> we have done a few of yours advices, but without success:
>
>
> We have this server.xml file:
>
>unpackWARs="true" autoDeploy="true"
> xmlValidation="fa
Am 29.10.2010 15:29, schrieb Mark Thomas:
On 29/10/2010 14:19, Darryl Lewis wrote:
Are you serious?
Completely. If you have a scheme that encrypts the database username and
password in server.xml and provides genuine additional security over and
above limiting access to server.xml to the user r
21 matches
Mail list logo