You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by PocketA <gi...@gmail.com> on 2011/09/18 19:50:39 UTC

Is it safe ?

Hi,

In my web service (using tomcat 7.0) I use a datasource to MySql database
configured under context.xml (in my WEB-INF directory) which looks like the
following :

<Context> 

       <Resource name="jdbc/TestDB" auth="Container"
type="javax.sql.DataSource" maxActive="100"   maxIdle="30" maxWait="10000"
username="user" password="pass" driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost/test_db?autoReconnect=true"/> 

</Context>

My question is : Is it safe to store user/pass like this ? if not, what is
commonly used as a safe approach ?

Thanks !!! 
-- 
View this message in context: http://old.nabble.com/Is-it-safe---tp32490405p32490405.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it safe ?

Posted by Konstantin Kolinko <kn...@gmail.com>.

2011/9/18 PocketA <gi...@gmail.com>:
>
> Hi,
>
> In my web service (using tomcat 7.0) I use a datasource to MySql database
> configured under context.xml (in my WEB-INF directory) which looks like the

It will be in META-INF, not in WEB-INF.

> following :
>
> <Context>
>
>       <Resource name="jdbc/TestDB" auth="Container"
> type="javax.sql.DataSource" maxActive="100"   maxIdle="30" maxWait="10000"
> username="user" password="pass" driverClassName="com.mysql.jdbc.Driver"
> url="jdbc:mysql://localhost/test_db?autoReconnect=true"/>
>
> </Context>
>
> My question is : Is it safe to store user/pass like this ? if not, what is
> commonly used as a safe approach ?

Usually it is, but make sure that your webapps and conf folders are
not world-readable.
On unixes you'd use umask command to configure default access rights
of created files.

I prefer to configure connections in server.xml
(so that the context.xml of the webapp does not have secrets, and can
be stored in svn etc., as well as to use different db configuration on
dev vs. prod)

Regarding the password itself:
http://wiki.apache.org/tomcat/FAQ/Password

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org