Versions Compared

Old Version 8

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version 9

changes.mady.by.user Mark Thomas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add note about how the config file should be protected

...

Because there isn't a a good way to "secure" them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected. Please see the user and dev list archives for flames wars about this topic. That said, any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file to the user that Tomcat process as and root (or the administrator on Windows).

In The Cathedral and the Bazaar, Eric S. Raymond recounts a story where his fetchmail users asked for encrypted passwords in the .fetchmailrc file (which is almost identical to the situation posed here with server.xml). He refused using the same arguments posed here: encrypting or otherwise obfuscating the password in server.xml does not provide any real security: only "security by obscurity" which isn't actually secure.

...