On 9/2/2010 11:28 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luca,
On 8/30/2010 2:42 AM, Luca Gervasi wrote:
I'm working to secure this, but...it's not too easy (and i'm surely not
a skilled programmer...).
But I hope this topic will be kept up!
There is virtually nothing you can do about this. The only solutions
here are:
1. Use a password entered on the console during start-up (the "Apache
httpd strategy")
Or a minor variant of this, such as entering the pwd on a secure web
page just after startup, though this has other disadvantages.
2. Remove the password from the keystore
Removing the password from the keystore is just about as (in)secure as
having the password in server.xml in plain-text.
All other strategies simply move the problem to some other component.
Protecting one password requires another password which requires
protecting which ... you get the idea.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
