Hi Jerome...
Dont think its possible with tomcat.... doesnt have an encrypted password
store.
But I think you right... its part of a more general issue... namely that the
server as a user, is a power user, and has to be able to get at resources on
the machine... so you got this power user guarding all other users. Now if
the passwords are used in a web only context... not too big a problem... but
if the password is also the users XP password, and they have access to the
company's treasury... its a huge problem.
Now you will see that this is also an issue on other systems... even systems
that have the privilege of being able to integrate with the subsystem...
like for example IIS on Active Directory.
Where the password will not be stored normally... ie the hash of the
password is stored and thats protected behind admin priveleges... this all
breaks down because of the way BASIC and DIGEST authentication works... you
will see that "then" they have to store the original password (as a
reversible process) because without it... its not possible to make Digest
and Basic work... those systems need to get at the original plain text
password.
I think BASIC could be made to work with a hash, but I dont think Digest can
work at all without it (plain text password).... and on the web Digest is
the better scheme... Basic is very vunerable.
Anyway... the thing is... theres tradeoffs... so if u looking for a
foolproof scheme... you not going to find it.
I do think that Tomcat could do with an encrypted password storage scheme...
ie there is a master password, stored as a hash... and only the system can
get to it and decrypt the passwords stored in users.xml. But having said
that... how would that work with other realms because now they have to
interoperate... and that means there has to be an single point of security
access... it all gets very complicated.
I've just made my own simple security solution for servlets, maybe you want
to look at it.
http://coolese.100free.com/ Its called GangBang... yeah I know... my
imagination is in the gutter ha ha... but its called that because it allows
for single sign on across domains, and multiple machines.
Anyway... I'm getting there because wots on your mind also worried me and I
want to tell you how GangBang handles it.
Like Tomcat it has a plain visible password store... because its easy, and
for many systems its all you need.
BUT... then what I did instead of going for the preconfigured realm idea...
is just expose an interface... so the system can be told to ask another
little class for the password and user roles. So wot this does is allow you
to do anything you want... for example if you wanted to store encrypted
passwords in your database... you can. Dont know enough about LDAP to really
comment but I imagine one could set up a one way password scheme on it AND a
reversible scheme just for your web server... point is you can code wot ever
u have 2.
In your case.... you could encrypt the passwords and store them in a file...
behind a master password with a little salt... in your web-app.
Security in theory should be visible... ie you should be able to tell people
the scheme and its still difficult... but I'm beginning to think that in a
cross platform system like tomcat... its near impossible... so all I came up
with is a way to let the programmer do whatever they want.
Can it stop someone hacking Tomcat as a power user.... no... I dont think
anything can... that like trying to keep an administrator out of a system.
But can you make it damn difficult to get at sensitive passwords.... yes.
... have fun
----- Original Message -----
From: "Jerome Benezech" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Sent: Friday, May 18, 2007 6:29 AM
Subject: UserDatabase & security
Hi,
I have a question regarding Tomcat server UserDatabase
on Linux.
When choosing a MemoryUserDatabase, tomcat users and
passwords are declared in a tomcat-users.xml file. The
tomcat user running the server must have read
permission on this file.
At the same time, all webapps running in tomcat are
running under the same Linux user ('tomcat'). So any
webapp can access this file and display its content.
My app is hosted on a shared Linux server. With the
present configuration, I can retrieve this file and
display every user login/password, then if I wanted
to, I could go into somebody else' webapp manager and
undeploy it.
I am a bit worried that somebody would do that to
me...
Is there a way to ensure that only the root user can
read this file ?
Thanks
Jerome
Jerome Benezech
[EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]