1

Our app runs on Tomcat. On startup, we read a properties file that is expected to be at a certain location on the server. Among other things the properties file contains the details for connecting to a database.

Each of our clients have their own instance of the app. It is either hosted by us or is run on a server in their facility.

One of our clients is worried about the password required to connect to the database being stored as plain text in this properties file. A lot of ideas are being discussed in the team about encrypting the password in the file using a shared key or public-private key etc. But none seem like a good solution to me. The fact that a key would have to be hardcoded in the source code seems like a bad idea.

I feel it would be better to prompt the client somehow for a password anytime they start tomcat and let them manually specify the password.

Have you dealt with a similar situation? What solutions have you used.

Thanks.

Improve this question

1 Answer 1

Reset to default
5

You may want to review: http://wiki.apache.org/tomcat/FAQ/Password

That said, any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows).

Hope this helps!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.