Jerome Benezech wrote: > I have a question regarding Tomcat server UserDatabase > on Linux. > When choosing a MemoryUserDatabase, tomcat users and > passwords are declared in a tomcat-users.xml file. The > tomcat user running the server must have read > permission on this file. > At the same time, all webapps running in tomcat are > running under the same Linux user ('tomcat'). So any > webapp can access this file and display its content. > > My app is hosted on a shared Linux server. With the > present configuration, I can retrieve this file and > display every user login/password, then if I wanted > to, I could go into somebody else' webapp manager and > undeploy it. > I am a bit worried that somebody would do that to > me... > > Is there a way to ensure that only the root user can > read this file ?
Well, Tomcat needs to be able to read that file so you must make it readable for Tomcat. OTOH: instead of plaintext passwords you could use digested ones. Take a look at the "digest" attribute of <Realm> and bin/digest.sh. Regards mks --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]