This week's book giveaway is in the Jython/Python forum.
We're giving away four copies of Murach's Python Programming and have Michael Urban and Joel Murach on-line!
See this thread for details.
Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How secure is Web.xml For storing Passwords.  RSS feed

 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Everyone

I am learning JSP and Servlets these days.

I just read that Configuration Parameters can be placed inside the "web.xml" deployment descriptor file . Also, web.xml is not visible to the users.

I wonder whether "web.xml" is the right place to store passwords .??

My Findings :
Someone replied on stackoverflow that it is not the right place , instead
you should put them in separate file and store the location of the file in web.xml .
Also you can restrict the access to that file to root users.

I want to take reviews of JAVA RANCH geeks on this and other Alternative Solutions iff any.
Moreover , how to restrict access to the root users.

Thanks !!!
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think it is preferable to keep as much configuration out of web.xml as possible. Keeping that information in one or more properties file is a good approach, IMO - you can keep several such files for different deployment environments, with no need to change web.xml.

If you're talking about user passwords, those should not be in a file, but rather in a DB or LDAP repository.
 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:
If you're talking about user passwords, those should not be in a file, but rather in a DB or LDAP repository.


Thanks for your insights Ulf Dittmer.

Why not files if they are restricted ?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Files are too inflexible. You don't want to change a file every time you add or disable a user. What's more, you'd need a mechanism to reload that file at runtime - an unnecessary complication.
 
Sangel Kapoor
Ranch Hand
Posts: 162
1
Android Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Files are too inflexible. You don't want to change a file every time you add or disable a user. What's more, you'd need a mechanism to reload that file at runtime - an unnecessary complication.


 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!