• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How secure is Web.xml For storing Passwords.

 
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Everyone

I am learning JSP and Servlets these days.

I just read that Configuration Parameters can be placed inside the "web.xml" deployment descriptor file . Also, web.xml is not visible to the users.

I wonder whether "web.xml" is the right place to store passwords .??

My Findings :
Someone replied on stackoverflow that it is not the right place , instead
you should put them in separate file and store the location of the file in web.xml .
Also you can restrict the access to that file to root users.

I want to take reviews of JAVA RANCH geeks on this and other Alternative Solutions iff any.
Moreover , how to restrict access to the root users.

Thanks !!!
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think it is preferable to keep as much configuration out of web.xml as possible. Keeping that information in one or more properties file is a good approach, IMO - you can keep several such files for different deployment environments, with no need to change web.xml.

If you're talking about user passwords, those should not be in a file, but rather in a DB or LDAP repository.
 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:
If you're talking about user passwords, those should not be in a file, but rather in a DB or LDAP repository.



Thanks for your insights Ulf Dittmer.

Why not files if they are restricted ?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Files are too inflexible. You don't want to change a file every time you add or disable a user. What's more, you'd need a mechanism to reload that file at runtime - an unnecessary complication.
 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Files are too inflexible. You don't want to change a file every time you add or disable a user. What's more, you'd need a mechanism to reload that file at runtime - an unnecessary complication.



 
reply
    Bookmark Topic Watch Topic
  • New Topic