Are you experiencing the same thing? -----Original Message----- From: Timothy Fisher <[EMAIL PROTECTED]> To: Tomcat Users List <[EMAIL PROTECTED]> Date: Thursday, November 01, 2001 12:47 PM Subject: Re: Form authentication/ password changing
>Craig, > >I agree with all of your comments. From the tomcat >access perspective, your correct, flat file vs. DB >storage of users/passwords may be roughly equivalent >in terms of how secure that is. > >But, if you ignore tomcat, and just consider the >usernames and passwords sitting out there, I would >argue that they are more vulnerable sitting in a flat >file than in a database. But I"m sure this could be >debated on an on... > >Tim > >--- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: >> >> >> On Thu, 1 Nov 2001, Timothy Fisher wrote: >> >> > Date: Thu, 1 Nov 2001 12:08:18 -0800 (PST) >> > From: Timothy Fisher <[EMAIL PROTECTED]> >> > Reply-To: Tomcat Users List >> <[EMAIL PROTECTED]> >> > To: Tomcat Users List >> <[EMAIL PROTECTED]> >> > Subject: Re: Form authentication/ password >> changing >> > >> > There is a sample tomcat-users.xml included with >> > tomcat 4.0 in the conf directory. Just follow >> this >> > format. Yes, the file must be in this format, >> unless >> > you write your own connector. >> > >> >> Yep. >> >> > The server containing the tomcat-users file >> definitely >> > must be protected. Yes, this is less secure than >> > storing the users/passwords in a >> directory/database. >> > >> >> It's hard to talk about "more secure" or "less >> secure" unless we define >> how you measure this :-). However, I would suggest >> that this is not >> necessarily true. >> >> First, under all circumstances, you should run >> Tomcat under a username >> other than root. That username must (obviously) >> have read access to the >> files in the "conf" directory. But, *no* other >> users on the server should >> be able to read those files. This allows you to >> leverage your operating >> system's standard protection for files. >> >> Second, let's assume that we put the users in a >> database instead, and >> configure JDBCRealm to have Tomcat talk to it. If >> you examine the >> configuration parameters you have to set up in >> "conf/server.xml", you will >> note that you have to specify the database username >> and password -- so you >> are *still* depending on limiting access to the >> configuration files, even >> if you take this approach. That doesn't sound "more >> secure" to me. >> >> (An approach that would qualify as "more secure" >> would be to challenge the >> system administrator for a password when Tomcat is >> started up. Some >> progress towards building such stuff has taken place >> with regards to the >> "keystore" files used for SSL certificates, but not >> yet for database >> passwords. And, you have to balance the security >> with the extra hassle >> that you cannot script a startup of Tomcat without >> having someone around >> to answer the password prompt.) >> >> > Tim >> > >> >> Craig >> >> >> -- >> To unsubscribe: >> <mailto:[EMAIL PROTECTED]> >> For additional commands: >> <mailto:[EMAIL PROTECTED]> >> Troubles with the list: >> <mailto:[EMAIL PROTECTED]> >> > > >__________________________________________________ >Do You Yahoo!? >Make a great connection at Yahoo! Personals. >http://personals.yahoo.com > >-- >To unsubscribe: <mailto:[EMAIL PROTECTED]> >For additional commands: <mailto:[EMAIL PROTECTED]> >Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>