You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Bainbridge <ja...@jblinux.org> on 2003/05/09 13:32:22 UTC
encrypted password for jndi datasource
All,
I have successfully setup a JNDI datasource in the server.xml file and am
using it within my JSP's but now I want to get our development team to
incorporate a similar setup into our servlet based web application instead of
the currently used non standard db.properties file that they use, the only
problem is I can't see any examples of how to use an encrypted password for
the datasource and there is no way they would accept storing it in plain text
in server.xml.
I know I could do this outside of the server.xml and decrypt the password
before I pass it to the datasource but that defeats the purpose of moving to
the JNDI method in the first place. Is there anyway within Tomcat to do
something similar to the example JRun code I found below:
<username>webadmin</username>
<password>A4AC2D1F8C24ED483ABC9FAB940C65B0</password>
<encrypted>true</encrypted>
<encryption-class>jrun.security.JRunCrypterForTwofish</encryption-class>
I did my due diligence with googling and the tomcatfaq but couldn't find
anything relevant so any pointers would be most appreciated, example code
would be even better. :)
Thanks,
--
Jason Bainbridge
KDE Web Team - http://kde.org
webmaster@kde.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: encrypted password for jndi datasource
Posted by "Andre E. Bar'yudin" <ba...@pob.huji.ac.il>.
On Птн, Май 09, 2003 at 10:14:37 +0800, Jason Bainbridge wrote:
> On Fri, 9 May 2003 10:06 pm, Tim Funk wrote:
> > .htpasswd uses crypt() or something very similar. Its one way encryption
> > like SHA1. Passwords can only be found by brute force.
> > The security model is an incoming password is "encrypted" then compared
> > against the encrypted value in .htpasswd.
>
> /me slaps forehead... I should have realised that, thanks for reminding me. :)
>
> > If they don't like the "only let certain user(s)" be able to read the file,
> > I guess they really hate the shadow password file which is a unix standard.
>
> Most of our clients end up cracking the very weak encryption we currently use
> anyway so maybe I can convince them otherwise. It would be nice though if
> Tomcat had the ability to specify an encryption class to use for this
> purpose, especially as JRun has that feature and that is what I am trying to
> get our company away from.
I fail to understand, how this going to help you - since the encryption
that will be done by your custom code can be reverse-engineered (which
is quite simple with Java) and therefore you've gained nothing. The main
problem is that you need to give your database connection the _real_
password, and you'll have to provide it in one way or another.
However, it seems that adding a custom encryption behavior is quite
simple, using DBCP - just extend whatever class reads the configuration
and add your functionality there. At least use some obfuscation...
Regards,
Andre.
--
Andre E. Bar'yudin
Home page: http://www.cs.huji.ac.il/~baryudin/
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: encrypted password for jndi datasource
Posted by Jason Bainbridge <ja...@jblinux.org>.
On Fri, 9 May 2003 10:06 pm, Tim Funk wrote:
> .htpasswd uses crypt() or something very similar. Its one way encryption
> like SHA1. Passwords can only be found by brute force.
> The security model is an incoming password is "encrypted" then compared
> against the encrypted value in .htpasswd.
/me slaps forehead... I should have realised that, thanks for reminding me. :)
> If they don't like the "only let certain user(s)" be able to read the file,
> I guess they really hate the shadow password file which is a unix standard.
Most of our clients end up cracking the very weak encryption we currently use
anyway so maybe I can convince them otherwise. It would be nice though if
Tomcat had the ability to specify an encryption class to use for this
purpose, especially as JRun has that feature and that is what I am trying to
get our company away from.
I might have to have a dig a bit deeper in the docs and the source when I get
some time to see what could be done in this respect, I just thought someone
might have had some experience with this in the past.
Regards,
--
Jason Bainbridge
KDE Web Team - http://kde.org
webmaster@kde.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: encrypted password for jndi datasource
Posted by Tim Funk <fu...@joedog.org>.
.htpasswd uses crypt() or something very similar. Its one way encryption like
SHA1. Passwords can only be found by brute force.
The security model is an incoming password is "encrypted" then compared
against the encrypted value in .htpasswd.
If they don't like the "only let certain user(s)" be able to read the file, I
guess they really hate the shadow password file which is a unix standard.
-Tim
Jason Bainbridge wrote:
> On Fri, 9 May 2003 09:39 pm, Tim Funk wrote:
>
>>Since the source to tomcat is available to all, encrytping the password in
>>server.xml really doesn't do any good since anyone can determine the
>>decryption algorithm via source code.
>
>
> Well is there anyway to specify your own encryption class in the server.xml in
> that case? How does Apache itself do it with .htpasswd's then?
>
>
>>I recommend making sure that only the "right user" can only read
>>server.xml.
>
>
> I agree but unfortunately others within the company won't accept that as they
> believe it is still too insecure. :(
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: encrypted password for jndi datasource
Posted by Jason Bainbridge <ja...@jblinux.org>.
On Fri, 9 May 2003 09:39 pm, Tim Funk wrote:
> Since the source to tomcat is available to all, encrytping the password in
> server.xml really doesn't do any good since anyone can determine the
> decryption algorithm via source code.
Well is there anyway to specify your own encryption class in the server.xml in
that case? How does Apache itself do it with .htpasswd's then?
> I recommend making sure that only the "right user" can only read
> server.xml.
I agree but unfortunately others within the company won't accept that as they
believe it is still too insecure. :(
--
Jason Bainbridge
KDE Web Team - http://kde.org
webmaster@kde.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: encrypted password for jndi datasource
Posted by Tim Funk <fu...@joedog.org>.
Since the source to tomcat is available to all, encrytping the password in
server.xml really doesn't do any good since anyone can determine the
decryption algorithm via source code.
I recommend making sure that only the "right user" can only read server.xml.
[Unless I really misinterpreted your q]
-Tim
Jason Bainbridge wrote:
> All,
>
> I have successfully setup a JNDI datasource in the server.xml file and am
> using it within my JSP's but now I want to get our development team to
> incorporate a similar setup into our servlet based web application instead of
> the currently used non standard db.properties file that they use, the only
> problem is I can't see any examples of how to use an encrypted password for
> the datasource and there is no way they would accept storing it in plain text
> in server.xml.
>
> I know I could do this outside of the server.xml and decrypt the password
> before I pass it to the datasource but that defeats the purpose of moving to
> the JNDI method in the first place. Is there anyway within Tomcat to do
> something similar to the example JRun code I found below:
>
> <username>webadmin</username>
> <password>A4AC2D1F8C24ED483ABC9FAB940C65B0</password>
> <encrypted>true</encrypted>
> <encryption-class>jrun.security.JRunCrypterForTwofish</encryption-class>
>
> I did my due diligence with googling and the tomcatfaq but couldn't find
> anything relevant so any pointers would be most appreciated, example code
> would be even better. :)
>
> Thanks,
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org