• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JDBCRealm for any database?

 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello all, I want to use Tomcat's server.xml to store the password to my database which is used by a webapp. The database does not store information about tomcat users so it's not for authentication. The main purpose of this is I cannot have a plain text password stored in my Java code on the server. So I need to store the hashed password somewhere in the Tomcat configuration using digest and ask for a connection from the container itself. I understand that if Tomcat is to make the connection it needs to know how to decrypt the password, and if someone gained access to the server they could easily get the password... but these are the requirements. Does anyone have an example or could point me to an example of how to do this? I've read through: http://ci.apache.org/projects/tomcat/tomcat6/docs/realm-howto.html and it seems like the only purpose is for user authentication.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Realms are solely for user authentication and authorization, that is correct. They have no relationship at all with application data access, and in fact, most of the Realms don't even expect to be backed by databases; realms using XML files, LDAP servers, JAAS, network-based services, and other non-DBMS-based realms are all in common use.

Databases should normally be accessed via pooled connections. When you use a pool, the connections (which require a database userid and password to create) are supplied externally, and therefore the web application has absolutely no business having either database userids OR database passwords embedded within it.

When you configure a database connection pool, you provide it with 4 primary parameters:

1. The connection URL
2. The driver class to use
3. The userId used to obtain all pool connections
4. The password corresponding to that userId.

These elements are normally supplied in clear text, since the pool definition is done in a secured location where it doesn't really matter whether the credentials are encrypted or not. If someone has access to the pool definition, they already pretty much own the system anyway.

It's generally good practice to assign a unique set of security credentials solely to connection pool in order to be able to restrict what the webapp(s) can do using that account. Although that doesn't mean that the apps can get careless, since the access rules will have to be the greatest-common-denominator of all the webapp users using connections from that pool.
 
30 seconds to difuse a loaf of bread ... here, use this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic