On 30 Oct 2010, at 15:20, Darryl Lewis <[email protected]> wrote:
> Well so far all this discussion has done is to make me realise that tomcat > should not be used in an environment that requires security. Complete nonsense. p > If cracking an app will let you get passwords on another box, that is weak > security. > > > On 30/10/10 11:27 PM, "Caldarale, Charles R" <[email protected]> > wrote: > >> From: Darryl Lewis [mailto:[email protected]] >> Subject: Re: running tomcat6 under a different user than root (debian) > >> Use encryption >> http://java.sys-con.com/node/393364 > > Sorry, that just moves the problem. The article completely ignores the issue > of where to put the decryption key - which must be in plain text somewhere. > As Mark pointed out, obfuscation != security. > > - Chuck > > P.S. Interesting that the author of that article was using a Tomcat already > three years old at the time of publication; doesn't really help the somewhat > questionable credibility. (Reference implementations shouldn't be used in > production? Where did he get that one?) > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
