You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Regis Melo <re...@softsite.com.br> on 2003/05/02 00:21:59 UTC
Encrypt password in struts-config datasource
Hello,
There is any way to use encrypted password in datasources defined in
struts-config?
Thanks!
Regis Melo
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Ian Hunter <ih...@hunterweb.net>.
...or just secure the web.xml file in the first place.
Realistically, if the file is owned by an account that doesn't allow
interactive logins, and the file is readable only by the owner, and the root
password is secured, you're in better shape than if you jumped through all
these "encrypted password" hoops in the first place, IMHO.
----- Original Message -----
From: "Phil Steitz" <ph...@steitz.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Friday, May 02, 2003 8:59 AM
Subject: Re: Encrypt password in struts-config datasource
> Ian Hunter wrote:
> > What if someone ran "strings" on your program?
>
> Well, assuming that the key is in one place, they might stumble on it
> and be able to decrypt the config file. You can make this a little
> harder by breaking the key up into multiple strings stored in different
> locations in the code. The point of all of this is just to make things
> harder for the attacker. It is certainly harder to find the byte code,
> run "strings" and try all the strings (or combinations thereof) as keys
> than to just pluck a clear text password from a file visible to anyone
> with read access to the config file.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Xu Cheng <xu...@yahoo.com.sg>.
We use byte[] to store the key, so it becomes a bit harder to be found out.
----- Original Message -----
From: "Phil Steitz" <ph...@steitz.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Friday, May 02, 2003 8:59 PM
Subject: Re: Encrypt password in struts-config datasource
Ian Hunter wrote:
> What if someone ran "strings" on your program?
Well, assuming that the key is in one place, they might stumble on it
and be able to decrypt the config file. You can make this a little
harder by breaking the key up into multiple strings stored in different
locations in the code. The point of all of this is just to make things
harder for the attacker. It is certainly harder to find the byte code,
run "strings" and try all the strings (or combinations thereof) as keys
than to just pluck a clear text password from a file visible to anyone
with read access to the config file.
>
> ----- Original Message -----
> From: "Cheng Xu" <xu...@yahoo.com.sg>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 01, 2003 10:10 PM
> Subject: Re: Encrypt password in struts-config datasource
>
>
>
>>Right, because of that I could not use datasource
>>feature of struts or tomcat, and have to program the
>>database connection part myself.
>>
>>--- Regis Melo <re...@softsite.com.br> wrote: >
>>Mitchell,
>>
>>>Because is insecure to store database passwords in
>>>plain text.
>>>
>>>[]'s,
>>>
>>>Regis Melo
>>>
>>>
>>>James Mitchell wrote:
>>>
>>>
>>>>On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
>>>>
>>>>
>>>>>Hello,
>>>>>
>>>>>There is any way to use encrypted password in
>>>>
>>>datasources defined in
>>>
>>>>>struts-config?
>>>>
>>>>
>>>>No. Why do you need that?
>>>>
>>>>
>>>>
>>>>>Thanks!
>>>>>
>>>>>Regis Melo
>>>>>
>>>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Phil Steitz <ph...@steitz.com>.
Ian Hunter wrote:
> What if someone ran "strings" on your program?
Well, assuming that the key is in one place, they might stumble on it
and be able to decrypt the config file. You can make this a little
harder by breaking the key up into multiple strings stored in different
locations in the code. The point of all of this is just to make things
harder for the attacker. It is certainly harder to find the byte code,
run "strings" and try all the strings (or combinations thereof) as keys
than to just pluck a clear text password from a file visible to anyone
with read access to the config file.
>
> ----- Original Message -----
> From: "Cheng Xu" <xu...@yahoo.com.sg>
> To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> Sent: Thursday, May 01, 2003 10:10 PM
> Subject: Re: Encrypt password in struts-config datasource
>
>
>
>>Right, because of that I could not use datasource
>>feature of struts or tomcat, and have to program the
>>database connection part myself.
>>
>>--- Regis Melo <re...@softsite.com.br> wrote: >
>>Mitchell,
>>
>>>Because is insecure to store database passwords in
>>>plain text.
>>>
>>>[]'s,
>>>
>>>Regis Melo
>>>
>>>
>>>James Mitchell wrote:
>>>
>>>
>>>>On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
>>>>
>>>>
>>>>>Hello,
>>>>>
>>>>>There is any way to use encrypted password in
>>>>
>>>datasources defined in
>>>
>>>>>struts-config?
>>>>
>>>>
>>>>No. Why do you need that?
>>>>
>>>>
>>>>
>>>>>Thanks!
>>>>>
>>>>>Regis Melo
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>
>>>>>To unsubscribe, e-mail:
>>>>
>>>struts-user-unsubscribe@jakarta.apache.org
>>>
>>>>>For additional commands, e-mail:
>>>>
>>>struts-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>
>>---------------------------------------------------------------------
>>
>>>To unsubscribe, e-mail:
>>>struts-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail:
>>>struts-user-help@jakarta.apache.org
>>>
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Promote your business from just $5 a month!
>>http://sg.biztools.yahoo.com
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Ian Hunter <ih...@hunterweb.net>.
What if someone ran "strings" on your program?
----- Original Message -----
From: "Cheng Xu" <xu...@yahoo.com.sg>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Thursday, May 01, 2003 10:10 PM
Subject: Re: Encrypt password in struts-config datasource
> Right, because of that I could not use datasource
> feature of struts or tomcat, and have to program the
> database connection part myself.
>
> --- Regis Melo <re...@softsite.com.br> wrote: >
> Mitchell,
> >
> > Because is insecure to store database passwords in
> > plain text.
> >
> > []'s,
> >
> > Regis Melo
> >
> >
> > James Mitchell wrote:
> >
> > > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> > >
> > >>Hello,
> > >>
> > >> There is any way to use encrypted password in
> > datasources defined in
> > >>struts-config?
> > >
> > >
> > > No. Why do you need that?
> > >
> > >
> > >>Thanks!
> > >>
> > >>Regis Melo
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> >>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
> __________________________________________________
> Do You Yahoo!?
> Promote your business from just $5 a month!
> http://sg.biztools.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Xu Cheng <xu...@yahoo.com.sg>.
I agree that storing the key in program code has weakness, but I think it is
better than putting it in clear so that those who can read the configuration
file (normally sysadmins and operations people) can easily see the password.
Of course they can get the same application up somewhere else and they can
even try to decompile and modify the programs to bypass security controls.
The encrypted password cannot prevent security problems, but can make things
slightly better.
Intercepting network traffic is prevented by using SSL (but, I have to store
the certificate private key for SSL in clear in tomcat config file, no
choice for that one).
What you said is indeed very helpful and I want to thank you for that. What
you suggested is reasonable for a system with small number of concurrent
users. I will discuss what you said with our security policy people. Thanks
again!
----- Original Message -----
From: "Mitchell Morris" <mm...@mindspring.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Friday, May 02, 2003 9:20 PM
Subject: RE: Encrypt password in struts-config datasource
> Ummm ... I suspect you haven't fully fleshed out your attack tree.
>
> Your application is on an intranet, which means all your users are company
> insiders. Your concern is that they might see the configuration files with
> the passwords, and will then use those passwords to view information
they're
> not privy to. If you management has told you to "Do Something(tm)", then
by
> all means do something. You shouldn't believe yourself nor let them
believe
> that this simple obfuscation is "securing the application".
>
> This branch of the attack tree seems to be insiders who have chosen not to
> (or failed to) physically access the equipment, who have subverted either
> the container or the host security model to the extent that they can fetch
> the configuration file and yet can't fetch the code that reads the
> configuration file. I suspect this is a very low percentage of your total
> attackers, and you probably have some low-hanging fruit elsewhere on the
> tree.
>
> If a user can gain physical access to the hardware, then you're sunk. All
> your users are company employees, so you have a much larger physical
> security issue.
>
> Your attacker must then either (1) subvert the application server to
deliver
> the configuration file remotely, or (2) subvert the host operating system
to
> deliver the configuration file remotely. Encrypting the configuration file
> merely means the attacker will need to use the same (or similar)
subversion
> to deliver the web application itself. The odds of the subversion allowing
> the webapps/MyWebApp/WEB-INF/struts-config.xml file to be delivered but
not
> webapps/MyWebApp/WEB-INF/classes/Stuff.class? That would be a pretty weak
> exploit. Securing your installation generally assumes that your attacker
is
> a potent adversary, not a stupid one.
>
> Additionally, if your database is on the same host as your web
application,
> then your attacker could use the subversion assumed above to retrieve the
> database files (equivalent to stealing the machine). If your database is
not
> on the same host, then your attacker can much more easily sniff the
packets
> between the hosts to steal the passwords off the wire than through any
silly
> file transfer.
>
> In short, my recommendation to you is to spend as little effort is as
> practical on this, because your attackers are smarter than to attack you
in
> this fashion. Yes, you have laser motion detectors on top of your barred
> windows, but your attacker is just going to chainsaw a hole in the wall or
> tunnel underneath the foundation.
>
>
> As a counterpoint to all this gloom, let me suggest that if you really
want
> to secure your passwords, you shouldn't store them at all. Assign each
user
> a userid and password using the database's native security. Ask the user
to
> log in to your application, and then attempt to connect to the database
> using the supplied userid/password (use
> DataSource.getConnection(String,String) instead of
> DataSource.getConnection()). If you connect, then you're authenticated. If
> you fail to connect, then you're not. This way you don't have any exposure
> in your web application's persistent form (although obviously you have an
> exposure if your attacker can gain access to your virtual memory while
> you're executing, although that's an essay for another day). This will
> likely play hell with your pooling, but you can't have everything.
>
>
> paranoia-is-its-own-reward-in-some-fields-ly y'rs,
> +Mitchell
>
>
> -----Original Message-----
> From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
> Sent: Thursday, May 01, 2003 10:32 PM
> To: Struts Users Mailing List
> Subject: RE: Encrypt password in struts-config datasource
>
>
> (1) I would think so. Our application is in intranet,
> so there is no big risk from external world. The
> concern is that people who can see those config files
> will know the passwords and can see company data,
> which they are not supposed to see.
>
> (2) For now we use symmetric key. Keys are hardcoded
> in the program, and are not owned by developers.
> Before release, keys will be put in by another group,
> and the encrypted password is generated and put into
> the config files. Anyone has better suggestions?
>
> --- Mitchell Morris <mm...@mindspring.com> wrote: >
> Two questions, both of which are easy to ask but
> > will probably be hard to
> > answer:
> >
> > (1) Is the attack you're trying to defend against
> > one of the most likely
> > avenues of attack that you will be subjected to?
> >
> > (2) How do you intend to manage the keys required to
> > decode the encoded
> > passwords?
> >
> > As always, security is much harder than it looks,
> > and requires a particular
> > kind of institutional paranoia to do well.
> >
> > some-days-they-really-are-out-to-get-me-ly y'rs,
> > +Mitchell
> >
> > -----Original Message-----
> > From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
> > Sent: Thursday, May 01, 2003 10:10 PM
> > To: Struts Users Mailing List
> > Subject: Re: Encrypt password in struts-config
> > datasource
> >
> >
> > Right, because of that I could not use datasource
> > feature of struts or tomcat, and have to program the
> > database connection part myself.
> >
> > --- Regis Melo <re...@softsite.com.br> wrote: >
> > Mitchell,
> > >
> > > Because is insecure to store database passwords
> > in
> > > plain text.
> > >
> > > []'s,
> > >
> > > Regis Melo
> > >
> > >
> > > James Mitchell wrote:
> > >
> > > > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> > > >
> > > >>Hello,
> > > >>
> > > >> There is any way to use encrypted password in
> > > datasources defined in
> > > >>struts-config?
> > > >
> > > >
> > > > No. Why do you need that?
> > > >
> > > >
> > > >>Thanks!
> > > >>
> > > >>Regis Melo
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Encrypt password in struts-config datasource
Posted by Mitchell Morris <mm...@mindspring.com>.
Ummm ... I suspect you haven't fully fleshed out your attack tree.
Your application is on an intranet, which means all your users are company
insiders. Your concern is that they might see the configuration files with
the passwords, and will then use those passwords to view information they're
not privy to. If you management has told you to "Do Something(tm)", then by
all means do something. You shouldn't believe yourself nor let them believe
that this simple obfuscation is "securing the application".
This branch of the attack tree seems to be insiders who have chosen not to
(or failed to) physically access the equipment, who have subverted either
the container or the host security model to the extent that they can fetch
the configuration file and yet can't fetch the code that reads the
configuration file. I suspect this is a very low percentage of your total
attackers, and you probably have some low-hanging fruit elsewhere on the
tree.
If a user can gain physical access to the hardware, then you're sunk. All
your users are company employees, so you have a much larger physical
security issue.
Your attacker must then either (1) subvert the application server to deliver
the configuration file remotely, or (2) subvert the host operating system to
deliver the configuration file remotely. Encrypting the configuration file
merely means the attacker will need to use the same (or similar) subversion
to deliver the web application itself. The odds of the subversion allowing
the webapps/MyWebApp/WEB-INF/struts-config.xml file to be delivered but not
webapps/MyWebApp/WEB-INF/classes/Stuff.class? That would be a pretty weak
exploit. Securing your installation generally assumes that your attacker is
a potent adversary, not a stupid one.
Additionally, if your database is on the same host as your web application,
then your attacker could use the subversion assumed above to retrieve the
database files (equivalent to stealing the machine). If your database is not
on the same host, then your attacker can much more easily sniff the packets
between the hosts to steal the passwords off the wire than through any silly
file transfer.
In short, my recommendation to you is to spend as little effort is as
practical on this, because your attackers are smarter than to attack you in
this fashion. Yes, you have laser motion detectors on top of your barred
windows, but your attacker is just going to chainsaw a hole in the wall or
tunnel underneath the foundation.
As a counterpoint to all this gloom, let me suggest that if you really want
to secure your passwords, you shouldn't store them at all. Assign each user
a userid and password using the database's native security. Ask the user to
log in to your application, and then attempt to connect to the database
using the supplied userid/password (use
DataSource.getConnection(String,String) instead of
DataSource.getConnection()). If you connect, then you're authenticated. If
you fail to connect, then you're not. This way you don't have any exposure
in your web application's persistent form (although obviously you have an
exposure if your attacker can gain access to your virtual memory while
you're executing, although that's an essay for another day). This will
likely play hell with your pooling, but you can't have everything.
paranoia-is-its-own-reward-in-some-fields-ly y'rs,
+Mitchell
-----Original Message-----
From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
Sent: Thursday, May 01, 2003 10:32 PM
To: Struts Users Mailing List
Subject: RE: Encrypt password in struts-config datasource
(1) I would think so. Our application is in intranet,
so there is no big risk from external world. The
concern is that people who can see those config files
will know the passwords and can see company data,
which they are not supposed to see.
(2) For now we use symmetric key. Keys are hardcoded
in the program, and are not owned by developers.
Before release, keys will be put in by another group,
and the encrypted password is generated and put into
the config files. Anyone has better suggestions?
--- Mitchell Morris <mm...@mindspring.com> wrote: >
Two questions, both of which are easy to ask but
> will probably be hard to
> answer:
>
> (1) Is the attack you're trying to defend against
> one of the most likely
> avenues of attack that you will be subjected to?
>
> (2) How do you intend to manage the keys required to
> decode the encoded
> passwords?
>
> As always, security is much harder than it looks,
> and requires a particular
> kind of institutional paranoia to do well.
>
> some-days-they-really-are-out-to-get-me-ly y'rs,
> +Mitchell
>
> -----Original Message-----
> From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
> Sent: Thursday, May 01, 2003 10:10 PM
> To: Struts Users Mailing List
> Subject: Re: Encrypt password in struts-config
> datasource
>
>
> Right, because of that I could not use datasource
> feature of struts or tomcat, and have to program the
> database connection part myself.
>
> --- Regis Melo <re...@softsite.com.br> wrote: >
> Mitchell,
> >
> > Because is insecure to store database passwords
> in
> > plain text.
> >
> > []'s,
> >
> > Regis Melo
> >
> >
> > James Mitchell wrote:
> >
> > > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> > >
> > >>Hello,
> > >>
> > >> There is any way to use encrypted password in
> > datasources defined in
> > >>struts-config?
> > >
> > >
> > > No. Why do you need that?
> > >
> > >
> > >>Thanks!
> > >>
> > >>Regis Melo
> > >>
> > >>
> > >>
> > >>
> > >>
> >
>
>>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
> >
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
> __________________________________________________
> Do You Yahoo!?
> Promote your business from just $5 a month!
> http://sg.biztools.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________________________
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Encrypt password in struts-config datasource
Posted by Cheng Xu <xu...@yahoo.com.sg>.
(1) I would think so. Our application is in intranet,
so there is no big risk from external world. The
concern is that people who can see those config files
will know the passwords and can see company data,
which they are not supposed to see.
(2) For now we use symmetric key. Keys are hardcoded
in the program, and are not owned by developers.
Before release, keys will be put in by another group,
and the encrypted password is generated and put into
the config files. Anyone has better suggestions?
--- Mitchell Morris <mm...@mindspring.com> wrote: >
Two questions, both of which are easy to ask but
> will probably be hard to
> answer:
>
> (1) Is the attack you're trying to defend against
> one of the most likely
> avenues of attack that you will be subjected to?
>
> (2) How do you intend to manage the keys required to
> decode the encoded
> passwords?
>
> As always, security is much harder than it looks,
> and requires a particular
> kind of institutional paranoia to do well.
>
> some-days-they-really-are-out-to-get-me-ly y'rs,
> +Mitchell
>
> -----Original Message-----
> From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
> Sent: Thursday, May 01, 2003 10:10 PM
> To: Struts Users Mailing List
> Subject: Re: Encrypt password in struts-config
> datasource
>
>
> Right, because of that I could not use datasource
> feature of struts or tomcat, and have to program the
> database connection part myself.
>
> --- Regis Melo <re...@softsite.com.br> wrote: >
> Mitchell,
> >
> > Because is insecure to store database passwords
> in
> > plain text.
> >
> > []'s,
> >
> > Regis Melo
> >
> >
> > James Mitchell wrote:
> >
> > > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> > >
> > >>Hello,
> > >>
> > >> There is any way to use encrypted password in
> > datasources defined in
> > >>struts-config?
> > >
> > >
> > > No. Why do you need that?
> > >
> > >
> > >>Thanks!
> > >>
> > >>Regis Melo
> > >>
> > >>
> > >>
> > >>
> > >>
> >
>
>>---------------------------------------------------------------------
> > >>To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
> >
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
> __________________________________________________
> Do You Yahoo!?
> Promote your business from just $5 a month!
> http://sg.biztools.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________________________
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Encrypt password in struts-config datasource
Posted by Mitchell Morris <mm...@mindspring.com>.
Two questions, both of which are easy to ask but will probably be hard to
answer:
(1) Is the attack you're trying to defend against one of the most likely
avenues of attack that you will be subjected to?
(2) How do you intend to manage the keys required to decode the encoded
passwords?
As always, security is much harder than it looks, and requires a particular
kind of institutional paranoia to do well.
some-days-they-really-are-out-to-get-me-ly y'rs,
+Mitchell
-----Original Message-----
From: Cheng Xu [mailto:xucheng_chn@yahoo.com.sg]
Sent: Thursday, May 01, 2003 10:10 PM
To: Struts Users Mailing List
Subject: Re: Encrypt password in struts-config datasource
Right, because of that I could not use datasource
feature of struts or tomcat, and have to program the
database connection part myself.
--- Regis Melo <re...@softsite.com.br> wrote: >
Mitchell,
>
> Because is insecure to store database passwords in
> plain text.
>
> []'s,
>
> Regis Melo
>
>
> James Mitchell wrote:
>
> > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> >
> >>Hello,
> >>
> >> There is any way to use encrypted password in
> datasources defined in
> >>struts-config?
> >
> >
> > No. Why do you need that?
> >
> >
> >>Thanks!
> >>
> >>Regis Melo
> >>
> >>
> >>
> >>
> >>
>
>>---------------------------------------------------------------------
> >>To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________________________
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Cheng Xu <xu...@yahoo.com.sg>.
Right, because of that I could not use datasource
feature of struts or tomcat, and have to program the
database connection part myself.
--- Regis Melo <re...@softsite.com.br> wrote: >
Mitchell,
>
> Because is insecure to store database passwords in
> plain text.
>
> []'s,
>
> Regis Melo
>
>
> James Mitchell wrote:
>
> > On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> >
> >>Hello,
> >>
> >> There is any way to use encrypted password in
> datasources defined in
> >>struts-config?
> >
> >
> > No. Why do you need that?
> >
> >
> >>Thanks!
> >>
> >>Regis Melo
> >>
> >>
> >>
> >>
> >>
>
>>---------------------------------------------------------------------
> >>To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________________________
Do You Yahoo!?
Promote your business from just $5 a month!
http://sg.biztools.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Regis Melo <re...@softsite.com.br>.
Mitchell,
Because is insecure to store database passwords in plain text.
[]'s,
Regis Melo
James Mitchell wrote:
> On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
>
>>Hello,
>>
>> There is any way to use encrypted password in datasources defined in
>>struts-config?
>
>
> No. Why do you need that?
>
>
>>Thanks!
>>
>>Regis Melo
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by Phil Steitz <ph...@steitz.com>.
James Mitchell wrote:
> On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
>
>>Hello,
>>
>> There is any way to use encrypted password in datasources defined in
>>struts-config?
>
>
> No. Why do you need that?
Presumably to protect the database from being compromised by someone who
gets hold of the config file. Some companies have security policies
that forbid the storage of plain text passwords in files. This makes it
difficult to use software that stores passwords in plain text in config
files. This question has also come up a few times on tomcat-user, where
server.xml has the same problem (JNDI DataSource configuration requires
plain text database password).
It is an interesting question to ask what is the best way to handle
encryption for database passwords or config data in general. I can see
several places where the crypto could be performed:
1. Digester: enhance commons-digester to handle encrypted files.
2. DBCP: enhance commons-dbcp to decrypt encrypted database passwords.
3. Struts/tomcat: enhance struts or tomcat to do the crypto before
getting the connection
4. Application: develop a custom JNDI Resource that does the crpto or
obfuscate the database password in code and work directly with dbcp to
set up the connections.
Right now, 4. is the only option for developers. I am curious about the
opinions of others on which, if any, of 1-3 would make sense.
In all cases (including 4), key management will be a pain. Unless you
want a human to have to enter a password to "unlock" the crypto key at
startup time, the encryption key has to be stored somewhere. The
standard ruse of obfuscating the key in code obviously won't work in an
open source environment. Makes for an interesting problem.
Phil
>
>
>>Thanks!
>>
>>Regis Melo
>>
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Encrypt password in struts-config datasource
Posted by James Mitchell <jm...@apache.org>.
On Thu, 2003-05-01 at 18:21, Regis Melo wrote:
> Hello,
>
> There is any way to use encrypted password in datasources defined in
> struts-config?
No. Why do you need that?
>
> Thanks!
>
> Regis Melo
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
--
James Mitchell
Software Developer/Struts Evangelist
http://www.open-tools.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org