Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to avoid storing passwords in the clear for tomcat's server.xml Resource definition of a DataSource?

The resource definition in tomcat's server.xml looks something like this...

<Resource     name="jdbc/tox"     scope="Shareable"     type="javax.sql.DataSource"     url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"     driverClassName="oracle.jdbc.pool.OracleDataSource"     username="tox"     password="toxbaby"     maxIdle="3"     maxActive="10"     removeAbandoned="true"     removeAbandonedTimeout="60"     testOnBorrow="true"     validationQuery="select * from dual"     logAbandoned="true"     debug="99"/> 

The password is in the clear. How to avoid this?

like image 480
dacracot Avatar asked Sep 24 '08 19:09

dacracot


People also ask

Where does Tomcat store passwords?

The Apache Tomcat Manager Web app password is stored in plain text in CATALINA_HOME/conf/tomcat-users. xml and should be encrypted so it is not visible to an intruder. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.

What is Tomcat vault?

Tomcat Vault is a tool that allows you to encrypt the passwords in Apache Tomcat configuration files.


2 Answers

As said before encrypting passwords is just moving the problem somewhere else.

Anyway, it's quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat's configuration file (server.xml or yourapp.xml...) using this class.

And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory and use this factory in your resource.

It will look like:

    <Resource         name="jdbc/myDataSource"         auth="Container"         type="javax.sql.DataSource"         username="user"         password="encryptedpassword"         driverClassName="driverClass"         factory="mypackage.MyCustomBasicDataSourceFactory"         url="jdbc:blabla://..."/> 

And for the custom factory:

package mypackage;  ....  public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {  @Override public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {     Object o = super.getObjectInstance(obj, name, nameCtx, environment);     if (o != null) {         BasicDataSource ds = (BasicDataSource) o;         if (ds.getPassword() != null && ds.getPassword().length() > 0) {             String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());             ds.setPassword(pwd);         }         return ds;     } else {         return null;     } } 

Hope this helps.

like image 156
Jerome Delattre Avatar answered Oct 06 '22 10:10

Jerome Delattre


Tomcat has a Password FAQ that specifically addresses your question. In short: Keep the password in the clear and properly lock-down your server.

That page also offers some suggestions of how security-by-obscurity might be used to pass an auditor's checklist.

like image 35
Ryan Avatar answered Oct 06 '22 10:10

Ryan