You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Derek Hohls <DH...@csir.co.za> on 2001/08/29 08:21:01 UTC
DB-password clear text - what alternatives?
Please expand on the hints below... there are few areas that are not clear to me yet - at the moment all my passwords are stored in the xml file that makes the calls to the db e.g.
String DBPass = "password";
...
<esql:password><xsp:expr>DBPass</xsp:expr></esql:password>
and I am worried that as the xml file is readable (normally, indirectly, but there are no guarantees here), that someone could find a way of displaying its contents.
What is a ' localhost loopback' and what/where is the 'cocoon.xconf' and how would you use either/both to replace the above system? Please include code snippets if at all possible...
Thanks
Derek
>>> Martin.Man@seznam.cz 28/08/2001 10:38:55 >>>
On Tue, Aug 28, 2001 at 11:21:45AM +0200, Enke Michael wrote:
> Hi!
> Is there a possibility or would it be
> easy to implement to have the DB password
> encrypted in some kind (in *.xsp or cocoon.xconf)?
as long as the direct JDBC connection requires plaintext passwords (and yes
all existing JDBC driver implementations require plaintext) it's absolutely
useless to add encryption to another layer.
anyway passwords are stored in a file on the server and JDBC connection is
usually made via localhost loopback, therefore password sniffing is almost
impossible and cocoon.xconf or whichever file the password actually contains
is not readable by ordinary users via web...
> This doesn't mean a state of the art
> encryption (too complicated!?), but only
> that not everybody can have direct access
> to the database.
don't get this, if there is a password that only admin knows, then
anyone who does not know it does not have the access to
the database or am I wrong ???
>
> Regards,
> Michael
>
rgds,
martin
--
-------------------------------------------------------------------------------
"Only dead fish swims with a stream" Malcolm Muggeridge
gpg_key_available: http://globales.cz/~mman/martin.man.gpg
gpg_key_fingerprint: 2CC0 4AF6 92DA 5CBF 5F09 7BCB 6202 7024 6E06 0223
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: DB-password clear text - what alternatives?
Posted by Bertrand Delacretaz <bd...@codeconsult.ch>.
On Wednesday 29 August 2001 08:21, Derek Hohls wrote:
> What is a ' localhost loopback'
I assume that means connecting to the same host using "localhost" (with
Cocoon and DB running on the same server).
Most (hopefully all) network stacks will in such case send IP packets
"internally" without making them visible on the network.
IMHO encrypting the passwords in the config files wouldn't help much, unless
there is a way to guarantee that only your app is able to decrpyt them (using
a hardware key maybe?).
--
-- Bertrand Delacrétaz, www.codeconsult.ch
-- web technologies consultant - OO, Java, XML, C++
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Re: Dynamic form handler
Posted by Mario Muja <ma...@delaval.com>.
You can have a hidden field in the form, which tells the processing
logic behind it, which action to perform. For example, you could use the
hidden field values "process_edit" and "process_display" or
corresponding numbers.
The processing logic can be an XSP page, which generates content
depending on the action string submitted as a request parameter. You
further need pipelines in the C2 sitemap.xmap file describing, which
stylesheet is applied to which XSP page result.
Hope this helps.
Mario Muja,
Mamadou Bobo Sylla wrote:
>I have a page which contains a form that has been handled according which
>link has clicked.
>In another word if some click on edit, the form action attribute will have
>to be inside XSL as (for example)
> <FORM action= "edit.xml" method="post">
>if the user click on display , the form action attribute would look like
>this (using the same XSL):
><FORM action= "display.xml" method="post">
>
>
>Can any tell me how to do such task in Cocoon.
>Thanx in advance.
>Bobo
>
>
>---------------------------------------------------------------------
>Please check that your question has not already been answered in the
>FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
>
>To unsubscribe, e-mail: <co...@xml.apache.org>
>For additional commands, e-mail: <co...@xml.apache.org>
>
>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
Dynamic form handler
Posted by Mamadou Bobo Sylla <bo...@ewarna.com>.
I have a page which contains a form that has been handled according which
link has clicked.
In another word if some click on edit, the form action attribute will have
to be inside XSL as (for example)
<FORM action= "edit.xml" method="post">
if the user click on display , the form action attribute would look like
this (using the same XSL):
<FORM action= "display.xml" method="post">
Can any tell me how to do such task in Cocoon.
Thanx in advance.
Bobo
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
RE: DB-password clear text - what alternatives?
Posted by Chris Newland <ch...@emorphia.com>.
Hi Derek,
The cocoon.xconf file is the main cocoon 2 configuration file and it is
located in the <cocoon>/webapp directory.
I use connection pooling to access my database and I describe the connection
in my cocoon.xconf file:
<datasources>
<jdbc name="my_connection">
<dburl>jdbc:mysql://localhost:3306/my_database_name</dburl>
<user>my_db_user</user>
<password>not_telling_you</password>
</jdbc>
</datasources>
Then in each XSP page that accesses the database I do not need to put my
database name or password into the page, I just specify the connection that
is described in cocoon.xconf:
<esql:connection>
<esql:pool>my_connection</esql:pool>
<esql:execute-query>
<esql:query>
blah blah blah ....
'localhost' is an alias for the IP address 127.0.0.1 which refers to the
local machine. i.e. the database server is on the same machine as cocoon 2.
Hope this helps,
Best Regards,
Chris
-----Original Message-----
From: Derek Hohls [mailto:DHohls@csir.co.za]
Sent: 29 August 2001 07:21
To: cocoon-users@xml.apache.org
Subject: DB-password clear text - what alternatives?
Please expand on the hints below... there are few areas that are not clear
to me yet - at the moment all my passwords are stored in the xml file that
makes the calls to the db e.g.
String DBPass = "password";
...
<esql:password><xsp:expr>DBPass</xsp:expr></esql:password>
and I am worried that as the xml file is readable (normally, indirectly, but
there are no guarantees here), that someone could find a way of displaying
its contents.
What is a ' localhost loopback' and what/where is the 'cocoon.xconf' and how
would you use either/both to replace the above system? Please include code
snippets if at all possible...
Thanks
Derek
>>> Martin.Man@seznam.cz 28/08/2001 10:38:55 >>>
On Tue, Aug 28, 2001 at 11:21:45AM +0200, Enke Michael wrote:
> Hi!
> Is there a possibility or would it be
> easy to implement to have the DB password
> encrypted in some kind (in *.xsp or cocoon.xconf)?
as long as the direct JDBC connection requires plaintext passwords (and yes
all existing JDBC driver implementations require plaintext) it's absolutely
useless to add encryption to another layer.
anyway passwords are stored in a file on the server and JDBC connection is
usually made via localhost loopback, therefore password sniffing is almost
impossible and cocoon.xconf or whichever file the password actually contains
is not readable by ordinary users via web...
> This doesn't mean a state of the art
> encryption (too complicated!?), but only
> that not everybody can have direct access
> to the database.
don't get this, if there is a password that only admin knows, then
anyone who does not know it does not have the access to
the database or am I wrong ???
>
> Regards,
> Michael
>
rgds,
martin
--
----------------------------------------------------------------------------
---
"Only dead fish swims with a stream" Malcolm
Muggeridge
gpg_key_available: http://globales.cz/~mman/martin.man.gpg
gpg_key_fingerprint: 2CC0 4AF6 92DA 5CBF 5F09 7BCB 6202 7024 6E06 0223
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faqs.html>
To unsubscribe, e-mail: <co...@xml.apache.org>
For additional commands, e-mail: <co...@xml.apache.org>