Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Encrypted password in configuration file

Status
Not open for further replies.
finsalscollons

finsalscollons

Programmer
May 8, 2004
3
SV
Hi.

I am using a JDBC Connection pool in Tomcat 5. I have defined it in conf\Catalina\localhost\ROOT.xml (instead of server.xml as Tomcat 4). So far, everything is ok.

The problem is the database password appears at this file as unencrypted. That is, something like this:

<parameter>
<name>password</name>
<value>MY_UNENCRYPTED_PASSWORD</value>
</parameter>

I am teaching a Tomcat course and my students tell me that this is not very safe, since the password is in plain text and everybody could see it easily. I tell them that they can set the permissions of that file to the webmaster, but they are not convinced (and honestly me neither, I would prefer the password to be encrypted in some form).

Is there a way to do this? I have been searching on the Web and I found nothing.

Thanks in advance,

Vicent Palasí

Comment: I attach the whole file

<Context path="" docBase=“ROOT">
<Resource name="jdbc/prueba" scope="Shareable" type="javax.sql.DataSource"/>
<ResourceParams name="jdbc/prueba">
<parameter>
<name>factory</name> <value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
</parameter>

<!-- DBCP database connection settings -->
<parameter>
<name>url</name>
<value>jdbc:mysql://localhost/prueba</value>
</parameter>
<parameter>
<name>driverClassName</name>
<value>com.mysql.jdbc.Driver</value>
</parameter>
<parameter>
<name>username</name>
<value>root</value>
</parameter>
<parameter>
<name>password</name>
<value>arrel</value>
</parameter>

<!-- DBCP connection pooling options -->
<parameter>
<name>maxWait</name>
<value>3000</value>
</parameter>
<parameter>
<name>maxIdle</name>
<value>100</value>
</parameter>

 
Sort by date Sort by votes
You can use the javax.crypto package to encrypt ascii, but to be honest, I really would not bother - setting the permissions on the config file is all you really need to do. Security is one thing - paranoia is another ! Put it into perspective :

If you don't trust people that have access to your webserver, then you should tie down access to that box - not config files. And if someone is so good that they can hack your webserver, and look at your config files, then there are more dangerous things they can do than just look at your config file. It is extremely unlikely that they would then be able to go on, make a connection to your database delete all tables. To be honest, no web db user should have those kind of permissions anyway ...
 
Upvote 0 Downvote
There must surely be a way to encrypt the password in server.xml - having a plain text password ANYWHERE just makes me very nervous. Trust noone! They're all out to get your application!

If anyone can let us know how to do this - like finsalscollins I searched the web but this thread is all I could find. But hey at least I joined Tek-tips!

I notice in IBM WSAD, the test servers that are automatically created use xol encryption - anyone know about this, maybe?

Thanks in advance!
 
Upvote 0 Downvote
this is not related to the password protection question but it
appears that you have the tomcat 5 / mysql connector/J connection working. i am trying to get a connection to mysql and getting the class not found error message. can you tell me where you put the com/mysql/jdbc files and the connector/J jar file in the tomcat5 directory structure. the documentation on the mysql and jakarta.apache.org websites make it sound like it should be easy to get the connection working. i be trying for a couple of days now a contine to receive the com/mysql/jdbc/Driver class not found error. thanks for any help you can provied.
 
Upvote 0 Downvote
you should put the jar file that contains the com.mysql.jdbc package in TOMCAT_HOME/common/lib.

--------------------------------------------------
Free Database Connection Pooling Software
 
Upvote 0 Downvote
that worked. thanks.

i went back to and they do tell you where to put the files.

These jar files along with your the jar file for your JDBC driver should be installed in $CATALINA_HOME/common/lib.

NOTE:Third Party drivers should be in jarfiles, not zipfiles. Tomcat only adds $CATALINA_HOME/common/lib/*.jar to the classpath.

NOTE: Do not install these jarfiles in your /WEB-INF/lib, or $JAVA_HOME/jre/lib/ext, or anywhere else. You will experience problems if you install them anyplace other than $CATALINA_HOME/common/lib.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Heerschap
  • Locked
  • Question
Gentran:Server for iSeries: Show trailing zeros in element on numeric field
Replies
0
Views
10K
Heerschap
Heerschap
Mango_Java
  • Locked
  • Question
WAR file failed in developer tools
Replies
0
Views
10K
Mango_Java
Mango_Java
everdelightedone
  • Locked
  • Question
tomcat 8.0x java.util.logging.Logger.log to file
Replies
2
Views
10K
everdelightedone
everdelightedone
PBT2708
  • Locked
  • Question
connectionCacheProperties (InitialLimit &amp; MinLimit) not working in Tomcat 8 for OracleDB 11g
Replies
0
Views
10K
PBT2708
PBT2708
lindaallen024
  • Locked
  • Question
Immediately Change Your Gmail Account Password
Replies
0
Views
866
lindaallen024
lindaallen024

Part and Inventory Search

Sponsor

Back
Top