On 30/10/2010 22:11, Darryl Lewis wrote: > That's why we encrypt passwords in unix, or haven't you looked at etc/passwd > lately? Are you going to tell me that is complete nonsense?
Yet again you demonstrate your lack of understanding in this area. Those are hashes since the OS never needs access to the password in plain text. The fundamental difference in the database resource password use case is that Tomcat must have access to the password in plain text. > Having a username and password in clear text allows another account to be > compromised. And, if that account is on another box holding your DB, then the > attacker has two boxes for the price of one. > This is additionally worse, as in a secure environment, the DB is usually in > a different architecture layer or vlan. The username and password the application uses to connection to the database should have the bare minimum permissions necessary for the application to operate correctly. That should not equate to root for the database and certainly shouldn't equate to root on the box. > On 31/10/10 8:01 AM, "Pid *" <p...@pidster.com> wrote: > > On 30 Oct 2010, at 15:20, Darryl Lewis <darryl.le...@unsw.edu.au> wrote: > >> Well so far all this discussion has done is to make me realise that tomcat >> should not be used in an environment that requires security. > > Complete nonsense. +1 Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
