The recommended workaorund now is:
1) Custom realm - so your implementation encryption can be a "secret"
2) Make server.xml read-only for the userid needing to run tomcat and let no one have access to that box with that ID
-Tim
Cathy Hui wrote:
I probably didn't state my question more clearly.
What I actually want to encrypt is the dblogin passwd, not the user login to tomcat. Is there a way to do that?
Thanks for the reply!
Cathy
-----Original Message-----
From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Thursday, March 25, 2004 10:49 AM
To: Tomcat Users List
Subject: RE: How to Secure my Passwd Info from server.xml file?
Hi, No, you have to write a custom realm for this. A couple of others have asked in the past, so you may wish to search the archives to see if they posted their solutions.
If you come up with something nice and generic, it'd be a nice donation to tomcat ;)
Yoav Shapira Millennium Research Informatics
-----Original Message-----
From: Cathy Hui [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 25, 2004 1:41 PM
To: [EMAIL PROTECTED]; tomcat-user- [EMAIL PROTECTED]; [EMAIL PROTECTED]; tomcat- [EMAIL PROTECTED]
Subject: How to Secure my Passwd Info from server.xml file?
I am trying to solve a security issue with my webapp. We are using tomcat's connection pooling for our webapp. The database username and password be specified in the server.xml file (as shown below).
Is there a way to encrypt the password, and tomcat should decrypt the password before establishing the database connection. We are trying to do this without changing the tomcat code itself. Is it a setting in tomocat, or is there a 3rd party software?
Any suggestions/solutions are appreciated. Thanks
<Resource name="jdbc/iOQDB" auth="Container" type="javax.sql.DataSource"/> <ResourceParams name="jdbc/iOQDB">
<parameter>
<name>username</name>
<value>myuser</value>
</parameter>
<parameter>
<name>password</name>
<value>mypassword</value>
</parameter>
</ResourceParams>
Thanks!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
