Okay, I know I am starting a flame war but why go through the effort?
If I can see your encrypted passwords, then I can see the code that decrypts them. And with that I have your passwords. It only adds a step to my effort to crack your security.
The only way to really secure them is to secure the files they are stored in. If you are on Linux or Windoze with NTFS this can be done. Then only you and Tomcat can see them. This of course does not exclude the admin/root, but if you can't trust them then you have bigger issues.
So in reality don't bother with what is in the files, instead secure the files.
If you disagree, then explain how you are going to send the password to MySQL? And some more info on your environment may help us give you some other suggestions.
Please don't take this the wrong way. This has been discussed many times before and there is no real solution other than as stated above. If you have a different idea, please post it. We are open to new ideas and suggestions, but with this one, I feel the solution lies in the environment. Please feel free to prove me wrong. And yes it has been done before, for I am far from perfect.
Doug
----- Original Message ----- From: "Edmon Begoli" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[email protected]>
Sent: Saturday, February 26, 2005 10:08 PM
Subject: Question for Tomcat Developers - How to Plug In Encryption for JDBC passwords
Hi,
I an using Tomcat 5.5.7, and I am planning on upgrading as needed.
As we all know Tomcat enables me to configure JDBC resources
that my app can use through the JNDI. My problem is that these passwords have to be stored as a plain text
which is a very bitter pill in my environment.
What is the Tomcat class that reads in those plain text values?
I would like to override this behavior and to enable this class to read digests/encrypted passwords.
I would also contribute this code to Tomcat code base if desired.
Please advise, Edmon
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
