On 2/12/16, 3:29 PM, "Leo Donahue" <donahu...@gmail.com> wrote:
>On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." < >dougherty.greg...@mayo.edu> wrote: >> >> On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote: >> >> >> >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < >> >dougherty.greg...@mayo.edu> wrote: >> >> >> >> The web app needs a DB password so it can connect to the DB. >> > >> >I disagree that the web app needs a password. >> The web app has to be able to read and write to the DB. That takes a >> password. > >No, javax.sql.DataSource needs a password. Your web app just needs a user >name. > >Your custom data source will fetch a password. How? What, precisely, is the exact mechanism by which this custom DataSource will fetch the password? And how is it that someone else, who has full access to all my source code, including to the source code of my custom DataSource, won¹t be able to retrieve the exact same password? Requirement for ³secure²: There are no files sitting anywhere on the server that have a plain text copy of my password. Requirement for secure: The sys admin does not get to know my password. He¹s ³trusted² in that we assume he won¹t abuse his private key on order to steal my password. He¹s not ³trusted² to know everyone¹s passwords. Requirement from system: password must be updated every six months. So I have to be able to change the password, and inform my web app of the changed password. >A. You don't get to manage your passwords. > >B. The suggestion I'm giving you requires coordination with sys admins >and >DBA's. It is more than just a simple app trying find a way to hide >passwords, none of which will "ever" be in source control. > >Leo A: I¹m the only one who knows my password, I have to manage it. I have to be able to use that password in contexts totally divorced from the web server. B: A solution that requires the sys admin to know, and update every six months, my passwords is not a viable solution. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
