On 29/10/2010 12:03, Darryl Lewis wrote: > Now I have to try and convince them that storing the database connection > username and passwords in plaintext are a bad idea...
I trust that the supplier replies that there is nothing wrong with this approach. The most you'll ever be able to achieve is limiting access to the username and password to the user running the Tomcat process. Since the OS provides a fine set of file permissions for doing exactly that, why bother with anything else? 'encrypting' the username and password will never be anything more than security by obscurity and that is no security at all. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org