On 31/10/2010 12:29, Mark Thomas wrote: > On 31/10/2010 04:53, Mladen Turk wrote: >> On 10/30/2010 07:28 PM, Mark Thomas wrote: >>> On 30/10/2010 12:59, Mladen Turk wrote: >>>> On 10/29/2010 03:29 PM, Mark Thomas wrote: >>>>> >>>>> I never said passwords should never be protected. I was quite specific >>>>> that trying to encrypt usernames and passwords in server.xml (or >>>>> context.xml for that matter) for database resources is a complete waste >>>>> of time. >>>>> >>>> >>>> Agreed. If the hacker is already logged in with the same uid, >>>> there isn't much you can do. >>>> However that make me wonder why are we keeping the passwords >>>> in memory unencrypted. I suppose we should do at least some memory >>>> cleansing for any intermediate security related processing product. >>> >>> Unfortunately the database password for a database resource needs to be >>> available throughout the life of the Tomcat process. >>> >> >> Well, in theory, once loaded can be kept encrypted inside >> in-memory key store using a random key and disk based salt. >> This would require a disk read on each database authz to >> get the password from in-memory key store however, so >> might be a performance issue. > > And still doesn't protect from an attacker that has compromised the > Tomcat process and/or the user the process is running as. > > All we are doing here is constructing more and more elaborate security > by obscurity mechanisms.
This would make a good discussion item for Thursday evening's meetup (free to all) at ApacheCon this week. I'll add it to the wiki page. http://wiki.apache.org/tomcat/TomcatAtApacheConNA2010 Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
