• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

is this not a security issue

 
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we can define username and passwords in tomcat-users.xml in apache-tomcat-6.0.16\conf folder.
Is this not a security issuse?
i mean anyone who can access server able to see usernames and passwords?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The security issue is allowing someone who shouldn't be seeing that file to see that file. make sure that user permissions and file permissions are set up appropriately.
 
Samanthi perera
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How to set user permissions and file permissions are set up appropriately?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's a systems administration issue, and greatly depends upon the OS. Nothing to do with Tomcat.
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, if you'll note, the documentation for Tomcat recommends NOT using the MemoryRealm as a production authentication and authorization Realm. It wasn't really intended for industrial-strength use, and it can't handle adding/changing users and roles without restarting Tomcat.

MemoryRealm is good for development and "proof of concept" uses, but most production servers are more likely to be using either a database or an LDAP server as their repository for credentials. When they're not doing something more sophisticated, such as authentication via web services.

Actually, as far as protection goes, none of Tomcat's files should be directly viewable (or alterable!) by unauthorized users. I usually define a "tomcat" user ID to ensure that, and give user "tomcat" the access rights.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic