RE: Encrypting passwords in the connection pool setup

Tue, 01 May 2007 08:16:38 -0700 

Hi,
        If you want to do something like that you can then extend 

        "org.apache.commons.dbcp.BasicDataSourceFactory" to
encrypt/decrypt 
        the password...   


        And put it in a package jar and put it in common lib and setup
the 
        datasource as described in JNDI datasource ..... 

        Not an easy solution but can be achieved :) 


Regards
Guru    

-----Original Message-----
From: Darren [mailto:[EMAIL PROTECTED] 
Sent: 01 May 2007 16:10
To: Tomcat Users List
Subject: Re: Encrypting passwords in the connection pool setup

> Why wouldn't we at least store the MD5 hash of the passwords
> instead of the password in clear text, or use a scheme similar to the
> Unix /etc/passwd file?

You've not thought this through.  Tomcat needs to decrypt or somehow  
have the credentials in cleartext so it can pass them to the database  
to establish a connection (MD5 is one way).  If it were possible to  
create the connection with an encrypted password, it would be just as  
sensitive as the unencrypted version.


>> Also,  The encryption doesn't have to be full proof, it just needs  
>> to be a deterrent.  For the most part it is the people with shell  
>> access that I want to remove the ability to read the passwords  
>> from.  Sometimes security through obscurity is enough.

How would this work?  Something like

<Resource name="jdbc/db" auth="Container" type="javax.sql.DataSource"
               driverClassName="com.mysql.jdbc.Driver"
               username="user" obfuscated="true" password="sh7dhkaDaS"
               url="jdbc:mysql://localhost:3306/appraisal? 
autoReconnect=true" />

If so, how do you propose to generate the obfuscated password?  Maybe  
a utility app that ships with the tomcat distribution?  If so a de- 
obfuscater would appear somewhere on the internet in a very short  
space of time.

Don't get me wrong, I'd like to see something done which could  
improve on the current cleartext situation, but I can't think of a  
sensible solution that would warrant a developers time.

Darren


---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To start a new topic, e-mail: [email protected]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to