• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Password encryption in tomcat 5.

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am using Apache_Tomcat_5_5_27 server. We are using context.xml for configuring database where username and password is stored in plain text. I want to use encrpted password in this file. Is it possible? if yes, please let us know in details how to do it?

Thanks in advance,

Regards,
chandan
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What are you trying to guard against? Rogues admins that have access to the server installation? Outside attackers that have gained access to the machine? Something/someone else?
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A related thread, although it has some diversions in it: https://coderanch.com/t/307198/JDBC/java/Encrypted-Password-Oracle-JDBC

Placing an encrypted password in a file is of limited benefit, because as long as someone is using the same mechanism, they can copy the encrypted password, paste it in their malware, and gain just as much benefit as if it was unencrypted. You could, perhaps subclass the dbcp class to take an encrypted password, but that subclass would then have to locally decrypt the password, and therefore you risk having the cleartext password go down the network anyway.

The best protection for production database passwords (and other production resources) is to seal off the internal production environment from outside access, both in-house and global.

Perhaps a more practical approach is to override the dbcp config at the server level. If you provide a copy of the context.xml file in the Tomcat servers conf/Catalina/localhost directory, that copy can contain the password in a more secure location. At a minimum, it wouldn't be as easy to pass around as a WAR file. I do this sometimes. Because I don't do separate builds for test and production, the context.xml in the WAR is for the test system and I override it for production.

Incidentally, it's convenient, but not essential to put a context.xml in a WAR. The META-INF/context.xml file is Tomcat-specific, and not only not required by J2EE, but other appservers have their own deployment descriptors which usually have different names and different locations.
 
JavaMonitor Support
Posts: 251
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear Chandan,

Encrypted passwords are useless. Once a hacker got so far that he can read your context.xml, he is in, no matter how badly you encrypt the passwords in there. Openfire uses encrypted passwords in the database and this little article tells you how useful that is: http://java-monitor.com/forum/showthread.php?t=453 In short: you don't need a whole lot to reset the password.

Kees Jan
 
chandan mahajan
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

Thanks a lot for the your responses. But this is kind of critical requirement in our project. So please let us know the way how it can be done in tomcat. I googled for jboss. Jboss directly provide this feature of encrypting password and use the encrypted password in the ms-sql.xml file. I need to do it in tomcat5.

Thanks,
Chandan
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does this help?

 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:Does this help?



That is in fact, a subclass of the dbcp factory class as I'd mentioned. However, it doesn't appear to have the details of the code in it. Then again, I have little patience with websites that obscure articles with popup windows.

One thing I did notice - and object to - however, is that their suggested "encryption" algorithm was merely Base64. Which is just one step above a "secret decoder ring" when it comes to security.
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:
However, it doesn't appear to have the details of the code in it.


That was my first impression too Turns out, it's a 2 page article and the code is mentioned as a listing on the second page. I do agree that, that web site, leaves a lot to be desired in terms of presentation.

 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic