-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus,
Milanez, Marcus wrote: | Filip Hanik wrote: |> if someone gets onto your machine as an super user, you have bigger |> problem than the password being in clear text | | That is the answer everyone gives in tomcat forums all over the | internet, so it seems to me that no possible solution is available. Possible solutions exist... it's just that nobody on the Tomcat team has implemented any of those solutions in the main code base. You are free to write your own classes that plug-into Tomcat to read, say, a 3DES-encrypted password with a known passphrase (which must be in the clear, by the way) and use that for your database connections. You could also use no password, in which case there's no sensitive information in the context.xml file ;) | On the other hand, is it right to stay behind a possible security | fault (malicious super user performing login) in order to say I'll | not correct known security issues in my application? The admin needs to have the password somehow. Or, the password to the password. Or, the password to the password to the ... | The thing is I'm not responsible for the servers but the ones who | are, keep arguing that this is a critical security problem. Are they | seeing a big problem in a small one? If your admins see this as a critical security problem, tell them to go out and find another Java application server that doesn't have the same issue. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgq8y0ACgkQ9CaO5/Lv0PCYfQCeMsFlR3jWFWANiZYnN3n4YEIQ uVcAn1vwQ1kWLjrs+Kx89R3HAKI0EU9/ =p7eQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]