You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Rob Tanner <rt...@linfield.edu> on 2002/05/08 20:32:47 UTC

Securing web.xml

Hi,

I'm writing an application that requires r/w access to a database and 
I'm concerned with securing the access credentials (username/passwd) so 
that someone can't simply read the file that contains them.  Please 
note, I am not talking about a SecurityManager issue but rather 
securing a file from access outside of java.

One solution is to root secure the file (i.e., restricting system level 
read privleges to "root"), but then I'd need to run tomcat as root.  Is 
that I good idea?  The other option is to add the credentials as 
environment variables in apache's configuration where root securing the 
file is simple.  Is there someway I can provide arbitrary apache 
configuration data to my servlet via tomcat?  Is there a third 
possibility I haven't thought of.

Thanks,
Rob

       _ _ _ _           _    _ _ _ _ _
      /\_\_\_\_\        /\_\ /\_\_\_\_\_\
     /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
    /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
   /\/_/_/_/_/ /\_\  /\/_/    /\/_/
  /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
  \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)

  Rob Tanner
  UNIX and Networks Manager
  Linfield College, McMinnville OR
  (503) 434-2558 <rt...@linfield.edu>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Securing web.xml

Posted by Mark Udstrand <mu...@CompleteIS.com>.

One approach would be to encrypt the username and password stored in the
file and then decrypt the values before authenticating.

M.

----- Original Message -----
From: "Rob Tanner" <rt...@linfield.edu>
To: "tomcat" <to...@jakarta.apache.org>
Sent: Wednesday, May 08, 2002 1:32 PM
Subject: Securing web.xml


> Hi,
>
> I'm writing an application that requires r/w access to a database and
> I'm concerned with securing the access credentials (username/passwd) so
> that someone can't simply read the file that contains them.  Please
> note, I am not talking about a SecurityManager issue but rather
> securing a file from access outside of java.
>
> One solution is to root secure the file (i.e., restricting system level
> read privleges to "root"), but then I'd need to run tomcat as root.  Is
> that I good idea?  The other option is to add the credentials as
> environment variables in apache's configuration where root securing the
> file is simple.  Is there someway I can provide arbitrary apache
> configuration data to my servlet via tomcat?  Is there a third
> possibility I haven't thought of.
>
> Thanks,
> Rob
>
>        _ _ _ _           _    _ _ _ _ _
>       /\_\_\_\_\        /\_\ /\_\_\_\_\_\
>      /\/_/_/_/_/       /\/_/ \/_/_/_/_/_/  QUIDQUID LATINE DICTUM SIT,
>     /\/_/__\/_/ __    /\/_/    /\/_/          PROFUNDUM VIDITUR
>    /\/_/_/_/_/ /\_\  /\/_/    /\/_/
>   /\/_/ \/_/  /\/_/_/\/_/    /\/_/         (Whatever is said in Latin
>   \/_/  \/_/  \/_/_/_/_/     \/_/              appears profound)
>
>   Rob Tanner
>   UNIX and Networks Manager
>   Linfield College, McMinnville OR
>   (503) 434-2558 <rt...@linfield.edu>
>
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
> For additional commands, e-mail:
<ma...@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>