-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 10/29/2010 10:04 AM, Mark Thomas wrote: > On 29/10/2010 14:53, Ronald Klop wrote: >> If you have a webapp where users log in you can use there login/password >> to login on the database. A little bit inconvenient for the DBA but you >> don't have passwords on your servers. > > It isn't quite that clear cut. There are some trade-offs to make with > this approach (and I'm not sure I like them). > > 1. The user's password has to be available in plain text. That prevents > you from storing digested passwords in the realm. This can be avoided by using a random key created during webapp startup (and persisted across re-deploys, but not undeploy/deploy) to encrypt all the passwords during runtime. That key might still be discoverable using the techniques you've already described (reflection, etc.). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzO0MsACgkQ9CaO5/Lv0PAcqACgvWB5P4lsdOlIGwN8t4fY+S93 TgEAn2109aeRK0pGMAarSECByf1IiHS5 =101I -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org