Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / October 2005

Tip: Looking for answers? Try searching our database.

Storing sensible configuration data in j2ee-deployment descriptor

Thread view: 
Enable EMail AlertsStart New Thread
E. Ulrich Kriegel - 21 Oct 2005 16:26 GMT
Hi there,
the j2ee-spec defines the env-section of a j2ee deployment descriptor as
a contract between component provider, application assembler and deployer.
Is there any information about pros and cons of storing sensitive data
like ressource passwords as env-entries?
Signature

Thanks in advance
--ukriegel
---------------------------------------------------------------------
Dr. E.Ulrich Kriegel, ulrich.kriegel@isst.fhg.de,
Fraunhofer ISST, Mollstraße 1, D-10178 Berlin, Germany
tel:   (++49(0)30) 243 06 446 fax:   (++49 (0) 30) 24306 199.
The PKI root certificate of the Fraunhofer Society can be obtained
from  http://pki.fraunhofer.de
=====================================================================

Reply to this Message
Ben_ - 21 Oct 2005 17:23 GMT
I find it weird to say the least that a password would be stored there.

Password is a matter of deployment and is subject to change, so why store it
in the archive ?
Reply to this Message
E. Ulrich Kriegel - 24 Oct 2005 05:58 GMT
> I find it weird to say the least that a password would be stored there.
>
> Password is a matter of deployment and is subject to change, so why store it
> in the archive ?

Imagine, that there is a company which develops an j2ee-based
application for another company.
The data center, in which the appliaction will be deployed, will keep
their passwords sectret. So the deployer has to set them in phase 2 of
the j2ee deployment process. If the passwors are stored as env-entries,
there is a definite location where to look for. Otherwise, putting
passwords in other places, e.g. in propertiy files, would mean to parse
all of them to find the corresponding entries.

Signature

Yours
--ukriegel
---------------------------------------------------------------------
Dr. E.Ulrich Kriegel, ulrich.kriegel@isst.fhg.de,
Fraunhofer ISST, Mollstraße 1, D-10178 Berlin, Germany
tel:   (++49(0)30) 243 06 446 fax:   (++49 (0) 30) 24306 199.
The PKI root certificate of the Fraunhofer Society can be obtained
from  http://pki.fraunhofer.de
=====================================================================

Reply to this Message
Ben_ - 24 Oct 2005 06:43 GMT
Don't know for other platforms, but in WebSphere, a DataSource has an
associated J2C Authentication Entry where the admin sets the password to
access the database.

I would find it a pitty that as an Admin I would have to go through
packaging & redeployment only to change a password.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.