You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jan Mönnich <mo...@dfn-cert.de> on 2008/02/08 11:30:21 UTC
Password Input on Tomcat Startup
Hi folks,
we have a very sensitive webapp that requires the input of a password
when the tomcat server starts. We don't want to store this password
in a file. One way we've already tested could be the use of a JDialog
with a JPasswordField that is shown in the init() method of a servlet
(<load-on-startup>1). Unfortunately this requires our server to run
X11... :-(
Is there any (hidden) way to input this password on the terminal
tomcat was started from?
Thanks in advance for any idea!
Jan
--
Dipl.-Inf. (FH) Jan Mönnich, PKI Team
Phone: +49 40 808077-632, Fax: +49 40 808077-556, moennich@dfn-cert.de
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
Re: Password Input on Tomcat Startup
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
---------------------------------------------------------------------------
HARBOR: http://coolharbor.100free.com/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
Making the Java dream come true.
---------------------------------------------------------------------------
----- Original Message -----
From: "Jan Mönnich" <mo...@dfn-cert.de>
To: <us...@tomcat.apache.org>
Sent: Friday, February 08, 2008 12:30 PM
Subject: Password Input on Tomcat Startup
Hi folks,
we have a very sensitive webapp that requires the input of a password
when the tomcat server starts. We don't want to store this password
in a file. One way we've already tested could be the use of a JDialog
with a JPasswordField that is shown in the init() method of a servlet
(<load-on-startup>1). Unfortunately this requires our server to run
X11... :-(
Is there any (hidden) way to input this password on the terminal
tomcat was started from?
============================
Ha ha... hey linux is supposed to be free ;)
Sounds like a licensing scheme... naughty naughty, ok you got to eat ;)
I natural way is as the other poster explained... a web page.
Poping UI out of a servelt even with X... no, its just ugly.
You have to hide the password on the machine...
One way is to... when they pay for the software...
is to give them a license key which is a hash of the password and say the IP
address, thus it doesnt work on other machines.
Then you store your password inside the application... it hashes itself and
the IP, if same, its on, if not, the browsers just give
a "pay me, people" message... ;)
Something like that...
Also look at the POJO application server above... you could have a central
registry...
ie when servlet starts it calls into the PAS, it checks a user registry and
either allows it to run or not...
Yes, tomcat is also an application server... probably the most powerful
application server ever.... ha ha
Have fun...
============================
Thanks in advance for any idea!
Jan
--
Dipl.-Inf. (FH) Jan Mönnich, PKI Team
Phone: +49 40 808077-632, Fax: +49 40 808077-556, moennich@dfn-cert.de
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstraße 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Password Input on Tomcat Startup
Posted by Peter Crowther <Pe...@melandra.com>.
> From: Jan Mönnich [mailto:moennich@dfn-cert.de]
> we have a very sensitive webapp that requires the input of a password
> when the tomcat server starts. We don't want to store this password
> in a file. One way we've already tested could be the use of a JDialog
> with a JPasswordField that is shown in the init() method of a servlet
> (<load-on-startup>1). Unfortunately this requires our server to run
> X11... :-(
>
> Is there any (hidden) way to input this password on the terminal
> tomcat was started from?
Assuming all communication is via HTTPS, an alternative goes roughly as follows:
- Pull any initialisation out of the servlet's init(), leaving just a boolean as to whether the password's been entered or not;
- Modify the servlet to serve a please-enter-the-password page at a particular URL;
- When the user enters the password, run any init code;
- Refuse to serve any other pages until the password has been entered.
This uses Tomcat's normal interface - HTTP - to your advantage, and probably maintains security to the level you need - you'll have to evaluate that. Depends how much control you have over the webapp, though.
- Peter
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org