Thank you, Matt, for your prompt response. We do have our own server, use SSL, protect our directories, and the database I believe is further protected from the evil world by firewalls and gateways and views and what not. But your advice seems to be to do everything we can - I'll follow it and look into encryption/decryption algorithms then: thanks very much! Geeta
Matt Penner wrote: > If saving your passwords (or really any sensitive information) in any kind of a > system whether it is a flat file (txt, XML, etc) or a database there is no sure > way of keeping this safe. So use as many measures as you can without > comprimising usability. This way if the OS gets comprimised and the file is > availabe they wont be able to readily read your information. Especially > necessary if you're not hosting your own server. The admins aren't supposed to > look in your files but you can't be too trusting and you're relying on their > ability to keep the system secure. > > The basic idea I have seen is that you use whatever security the OS/Database > can give you (like you have) as well as an encryption scheme when saving the > data. > > This can be simply your own function which can encrypt / decrypt what you store > or retrieve from the XML file, or you can go as in depth as you want and use > some major encryption schemes. > > Hope this helps, > Matt > > Quoting Geeta Ramani <[EMAIL PROTECTED]>: > > > Hi all: > > > > The subject says it all: currently I am storing information that my > > connection pool uses like database URL, username and password in the > > web.xml > > as init-params. I thought that if I secured WEB-INF with go-rwx, this > > is > > secure. But in a recent code-review this has been brought into > > question. > > So here are my questions: > > > > 1. Am I deluding myself that this is safe? > > 2. If so, is there some way that any of you has solved the problem? > > > > I looked in the archives, but all the dicussion with passwords seems > > to > > be around the issue of encryting un/pw pairs entered in a browser, for > > which, of course, SSL and one way encryption can be used. I mention > > this > > so my question is not misunderstood. > > > > Thanks very much! > > Geeta > > > > ___________________________________________________________________________ > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the > > body > > of the message "signoff SERVLET-INTEREST". > > > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > > Resources: > > http://java.sun.com/products/servlet/external-resources.html > > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html > > > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
