Thomas Griffith wrote:Tim, what about jdbc passwords stored in conf/Catalina/localhost/MyDb.xml?
That file should be describing a webapp accessable from
http://localhost:8080/MyDb. The Resource defines something that Tomcat will store in that webapp's JNDI dictionary. Typically it would also specify
type="javax.sql.DataSource", which would define a Datasource Connection Pool that the webapp would use. It has no direct connection to Tomcat security.
Tomcat's security is managed by plugins to Tomcat itself and not to the webapp. The security modules are called Realms and there are a specific set of APIs (Interfaces( that define Realms so that Tomcat knows how to talk to them.
The most important method a Realm module presents is the
authenticate() method. This is an overloaded method from
org.apache.catalina.realm.RealmBase, but the most common invocation is for Tomcat to pass 2 arguments that it obtains from the LoginForm or dialog: juserid and jpassword. These arguments are always cleaf-text strings, never encrypted. Tomcat assumes your client login was done via SSL. it trusts its own internal security, so there's no need for encryption there.
If the Realm talks to an external data repository (most do), it is up the the Realm implementation as to whether or not to use encryption at that point. For the JDBC Realm, you can provide a JDBC query such as "SELECT COUNT(*) FROM my_user WHERE user_id = ? AND password = CRYPT(?)". And/or use an encrypted network connection to the JDBC server.
As I've said before, the tomcat-users.xml file is not intended for production use, so it doesn't make any provision for encryption. Since it's typically stored in the Tomcat directory tree, it's as secure — or not — as the rest of Tomcat.