Why are plain text passwords in the config files? Because there is no good way to "secure" them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected.
http://wiki.apache.org/tomcat/FAQ/Password 2014/1/30 Mark Thomas <ma...@apache.org> > On 30/01/2014 09:46, Ja kub wrote: > > is it possible not to write keystorePass in open text server.xml, and > make > > tomcat to ask for it at startup ? > > or specify only some hash of it (rather not possible) ? > > http://wiki.apache.org/tomcat/FAQ/Password > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
