Well so far all this discussion has done is to make me realise that tomcat should not be used in an environment that requires security. If cracking an app will let you get passwords on another box, that is weak security.
On 30/10/10 11:27 PM, "Caldarale, Charles R" <chuck.caldar...@unisys.com> wrote: > From: Darryl Lewis [mailto:darryl.le...@unsw.edu.au] > Subject: Re: running tomcat6 under a different user than root (debian) > Use encryption > http://java.sys-con.com/node/393364 Sorry, that just moves the problem. The article completely ignores the issue of where to put the decryption key - which must be in plain text somewhere. As Mark pointed out, obfuscation != security. - Chuck P.S. Interesting that the author of that article was using a Tomcat already three years old at the time of publication; doesn't really help the somewhat questionable credibility. (Reference implementations shouldn't be used in production? Where did he get that one?) THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org