Yes, its out. It's only one-third "mine", though...there were several authors, as is the custom with Wrox Press.
I'm not surprised your local store doesn't have a copy...its a fairly esoteric subject, all things considered. Probably explains the 34K+ sales ranking on Amazon, too. LOL
John
On Fri, 6 Jun 2003 14:24:34 -0400, Phillip Qin <[EMAIL PROTECTED]> wrote:
Is your book out? I couldn't find in local bookstore.
-----Original Message-----
From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 6, 2003 2:19 PM
To: Tomcat Users List
Subject: Re: security of server.xml
Java code can be decompiled. Easily.
Rogue classes can be inserted into improperly configured packages. There's plenty more.
If your UNIX-like OS is unstable enough to allow a file owned by root with permissions of 700 be viewable to various untrusted users, you've got bigger concerns on your hands besides hiding the database connection password. Keep in mind, too, that the password is most like going to be transmitted in the clear...its trivial to have a packet sniffer retrieve it.
I hate to self-promote, but perhaps you might want to consider picking up a copy of the Apache Tomcat Security Handbook from Wrox Press, ISBN 1861008309.
John
On Thu, 5 Jun 2003 16:04:43 +0100 (BST), Mohamed Tagari <[EMAIL PROTECTED]> wrote:
HI,
the database contains sensitive information and so the password and username should not be available even as a read only..
Due to the sensitivity of the data it could be seen viable to recompile the code, and redeploy your application.
mo
On Thu, 5 Jun 2003, John Turner wrote:
Well, if you put in code, then every time it changes you need to recompile your code, and redeploy your application.
If you put it in server.xml, you don't ever have to do that.
The security on server.xml is easy:
chmod 700 TOMCAT_USER
TOMCAT_USER = whatever user Tomcat runs as
John
On Thu, 5 Jun 2003 10:40:21 +0100 (BST), Mohamed Tagari <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Is there any way of taking the password and username for connecting to a > database out of the server.xml, and placing it in code before the lookup > is done on this?? As having the username and password as plain text is > not very secure..
>
> // java code
> Context init = new InitialContext();
> Context ctx = (Context) init.lookup("java:comp/env");
> DataSource ds = (DataSource) ctx.lookup("jdbc/myoracle");
>
>
>
> // extract from server.xml
> <Resource name="jdbc/myoracle" auth="Container"
> type="javax.sql.DataSource"/>
>
> <ResourceParams name="jdbc/myoracle">
> .
> .
> .
> <parameter>
> <name>username</name>
> <value>scott</value>
> </parameter>
> <parameter>
> <name>password</name>
> <value>tiger</value>
> </parameter>
> .
> .
> </ResourceParams>
>
> mo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
