You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Apache Wiki <wi...@apache.org> on 2010/11/07 05:44:35 UTC
[Tomcat Wiki] Trivial Update of "FAQ/Password" by KonstantinKolinko
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "FAQ/Password" page has been changed by KonstantinKolinko.
The comment on this change is: Correction: character encoding of server.xml does not matter.
http://wiki.apache.org/tomcat/FAQ/Password?action=diff&rev1=2&rev2=3
--------------------------------------------------
Of course, auditors do not like this answer. So there are some ways to get around this ...
* Use properties replacement so that in the xml config you have ${db.password} and in conf/catalina.properties you put the password there. You are not safer, but the auditors may be happy.
- * Since server.xml uses utf-8 encoding - you can use xml entities. For example: "woot" becomes "&#119;&#111;&#111;&#116;" which is a way to obscure the password
+ * Since server.xml is an XML file — you can use XML entities. For example: "woot" becomes "&#119;&#111;&#111;&#116;" which is a way to obscure the password
* Write your own datasource implementation which wraps your datasource and obscure your brains out. See the docs on how to do this.
* (Tomcat 7) Write your own org.apache.tomcat.util.!IntrospectionUtils.!PropertySource implementation to 'decrypt' passwords that are 'encrypted' in catalina.properties and referenced via ${...} in server.xml. You'll need to set the system property org.apache.tomcat.util.digester.PROPERTY_SOURCE to point to your !PropertySource implmentation. This won't provide any real security, it just adds another level of indirection - i.e. 'security by obscurity'.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org