AppletTalk.com Java discussions newsgroups   Archives   FAQ   Search   Memberlist   Usergroups   Register   Profile   Log in to check your private messages   Log in  Storing sensible configuration data in j2ee-deployment descr          AppletTalk.com Forum Index -> Security and Java View previous topic :: View next topic   Author Message E. Ulrich Kriegel Guest Posted: Fri Oct 21, 2005 3:26 pm    Post subject: Storing sensible configuration data in j2ee-deployment descr Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Message-ID: <435908b9$1 (AT) news (DOT) fhg.de> Lines: 19 Path: number1.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!newsfeed00.sul.t-online.de!t-online.de!npeer.de.kpn-eurorings.net!usenet-feed.fhg.de!news.fhg.de!not-for-mail Xref: number1.nntp.dca.giganews.com comp.lang.java.security:32332 Hi there, the j2ee-spec defines the env-section of a j2ee deployment descriptor as = a contract between component provider, application assembler and deployer= =2E Is there any information about pros and cons of storing sensitive data=20 like ressource passwords as env-entries? --=20 Thanks in advance --ukriegel --------------------------------------------------------------------- Dr. E.Ulrich Kriegel, [email]ulrich.kriegel (AT) isst (DOT) fhg.de[/email], Fraunhofer ISST, Mollstra=DFe 1, D-10178 Berlin, Germany tel: (++49(0)30) 243 06 446 fax: (++49 (0) 30) 24306 199. The PKI root certificate of the Fraunhofer Society can be obtained from http://pki.fraunhofer.de =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Back to top Ben_ Guest Posted: Fri Oct 21, 2005 4:23 pm    Post subject: Re: Storing sensible configuration data in j2ee-deployment d I find it weird to say the least that a password would be stored there. Password is a matter of deployment and is subject to change, so why store it in the archive ? Back to top E. Ulrich Kriegel Guest Posted: Mon Oct 24, 2005 4:58 am    Post subject: Re: Storing sensible configuration data in j2ee-deployment d References: <435908b9$1 (AT) news (DOT) fhg.de> <43591537$1$10097$ba620e4c (AT) news (DOT) skynet.be> In-Reply-To: <43591537$1$10097$ba620e4c (AT) news (DOT) skynet.be> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Message-ID: <435c69f4$1 (AT) news (DOT) fhg.de> Lines: 31 Path: number1.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!nx01.iad01.newshosting.com!newshosting.com!newsfeed.icl.net!newsfeed.fjserv.net!newsfeed.icl.net!newsfeed.freenet.de!news.rh-tec.net!npeer.de.kpn-eurorings.net!usenet-feed.fhg.de!news.fhg.de!not-for-mail Xref: number1.nntp.dca.giganews.com comp.lang.java.security:32334 Ben_ wrote: Quote: I find it weird to say the least that a password would be stored there.= =20 Password is a matter of deployment and is subject to change, so why sto= re it in the archive ? =20 =20 Imagine, that there is a company which develops an j2ee-based=20 application for another company. The data center, in which the appliaction will be deployed, will keep=20 their passwords sectret. So the deployer has to set them in phase 2 of=20 the j2ee deployment process. If the passwors are stored as env-entries,=20 there is a definite location where to look for. Otherwise, putting=20 passwords in other places, e.g. in propertiy files, would mean to parse=20 all of them to find the corresponding entries. --=20 Yours --ukriegel --------------------------------------------------------------------- Dr. E.Ulrich Kriegel, [email]ulrich.kriegel (AT) isst (DOT) fhg.de[/email], Fraunhofer ISST, Mollstra=DFe 1, D-10178 Berlin, Germany tel: (++49(0)30) 243 06 446 fax: (++49 (0) 30) 24306 199. The PKI root certificate of the Fraunhofer Society can be obtained from http://pki.fraunhofer.de =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Back to top Ben_ Guest Posted: Mon Oct 24, 2005 5:43 am    Post subject: Re: Storing sensible configuration data in j2ee-deployment d Don't know for other platforms, but in WebSphere, a DataSource has an associated J2C Authentication Entry where the admin sets the password to access the database. I would find it a pitty that as an Admin I would have to go through packaging & redeployment only to change a password. Back to top Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First         AppletTalk.com Forum Index -> Security and Java All times are GMT Page 1 of 1   Jump to: Select a forum Java Newsgroups----------------Java DiscussionsWeb-based java games comp.lang.java 3D Graphics API's for Java Java: Support and criticism Java System Announcements comp.lang.java.api JavaBeans Java and CORBA Java and Databases comp.lang.java.developer Java GUI Toolkits Java Help comp.lang.java.javascript JVM, native methods and hardware comp.lang.java.misc Java Language Programming Security and Java comp.lang.java.setup Java Software Tools comp.lang.java.tech ibm.software.java.linux  Non-English Java Newsgroups----------------Java Language (German)Language Java (Français)Java (Italian)  You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Powered by phpBB © 2001, 2006 phpBB Group SEO toolkit © 2004-2006 webmedic.