The resource definition in tomcat's server.xml
looks something like this...
<Resource name="jdbc/tox" scope="Shareable" type="javax.sql.DataSource" url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid" driverClassName="oracle.jdbc.pool.OracleDataSource" username="tox" password="toxbaby" maxIdle="3" maxActive="10" removeAbandoned="true" removeAbandonedTimeout="60" testOnBorrow="true" validationQuery="select * from dual" logAbandoned="true" debug="99"/>
The password is in the clear. How to avoid this?
The Apache Tomcat Manager Web app password is stored in plain text in CATALINA_HOME/conf/tomcat-users. xml and should be encrypted so it is not visible to an intruder. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
Tomcat Vault is a tool that allows you to encrypt the passwords in Apache Tomcat configuration files.
As said before encrypting passwords is just moving the problem somewhere else.
Anyway, it's quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat's configuration file (server.xml
or yourapp.xml
...) using this class.
And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory
and use this factory in your resource.
It will look like:
<Resource name="jdbc/myDataSource" auth="Container" type="javax.sql.DataSource" username="user" password="encryptedpassword" driverClassName="driverClass" factory="mypackage.MyCustomBasicDataSourceFactory" url="jdbc:blabla://..."/>
And for the custom factory:
package mypackage; .... public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory { @Override public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { Object o = super.getObjectInstance(obj, name, nameCtx, environment); if (o != null) { BasicDataSource ds = (BasicDataSource) o; if (ds.getPassword() != null && ds.getPassword().length() > 0) { String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword()); ds.setPassword(pwd); } return ds; } else { return null; } }
Hope this helps.
Tomcat has a Password FAQ that specifically addresses your question. In short: Keep the password in the clear and properly lock-down your server.
That page also offers some suggestions of how security-by-obscurity might be used to pass an auditor's checklist.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With