如何避免为tomcat的server.xml清楚存储密码DataSource的资源定义? [英] How to avoid storing passwords in the clear for tomcat's server.xml Resource definition of a DataSource?

查看:690
本文介绍了如何避免为tomcat的server.xml清楚存储密码DataSource的资源定义?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

tomcat的 server.xml 中的资源定义看起来像这样... 

 < Resource 
 name =jdbc / tox
 scope =Shareable
 type =javax.sql.DataSource
 url =jdbc:oracle:thin:@ yourDBserver.yourCompany.com:1521:yourDBsid
 driverClassName =oracle.jdbc.pool.OracleDataSource
 username =tox
 password =toxbaby
 maxIdle =3
 maxActive =10
 removeAbandoned =true
 removeAbandonedTimeout =60
 testOnBorrow =true 
 validationQuery =select * from dual
 logAbandoned =true
 debug =99/>

密码已清除。如何避免这种情况?

解决方案

如前所述,加密密码只是将问题移到其他地方。



无论如何,这很简单。
只需要写一个带有静态字段的类来为您的密钥等等,以及静态方法加密,解密您的密码。
在Tomcat的配置文件( server.xml yourapp.xml ...)中加密您的密码这个类。



在Tomcat中解密密码on the fly,扩展DBCP的 BasicDataSourceFactory


$ b 

 < Resource 
 name =jdbc / myDataSource
 auth =Container
 type =javax.sql.DataSource
 username = user
 password =encryptedpassword
 driverClassName =driverClass
 factory =mypackage.MyCustomBasicDataSourceFactory
 url =jdbc:blabla:// .../> ;

而对于自定义工厂:

  package mypackage; 
 
 .... 
 
 public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {
 
 @Override 
 public Object getObjectInstance(Object obj,Name name,Context nameCtx,Hashtable environment)throws Exception {
 Object o = super.getObjectInstance(obj,name,nameCtx,environment); 
 if(o!= null){
 BasicDataSource ds =(BasicDataSource)o; 
 if(ds.getPassword()!= null& ds.getPassword()。length()> 0){
 String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword()); 
 ds.setPassword(pwd); 
} 
 return ds; 
} else {
 return null; 
} 
}

希望这有帮助。


The resource definition in tomcat's server.xml looks something like this...

<Resource
    name="jdbc/tox"
    scope="Shareable"
    type="javax.sql.DataSource"
    url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"
    driverClassName="oracle.jdbc.pool.OracleDataSource"
    username="tox"
    password="toxbaby"
    maxIdle="3"
    maxActive="10"
    removeAbandoned="true"
    removeAbandonedTimeout="60"
    testOnBorrow="true"
    validationQuery="select * from dual"
    logAbandoned="true"
    debug="99"/>

The password is in the clear. How to avoid this?

解决方案

As said before encrypting passwords is just moving the problem somewhere else.

Anyway, it's quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat's configuration file (server.xml or yourapp.xml...) using this class.

And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory and use this factory in your resource.

It will look like:

    <Resource
        name="jdbc/myDataSource"
        auth="Container"
        type="javax.sql.DataSource"
        username="user"
        password="encryptedpassword"
        driverClassName="driverClass"
        factory="mypackage.MyCustomBasicDataSourceFactory"
        url="jdbc:blabla://..."/>

And for the custom factory:

package mypackage;

....

public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {

@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
    Object o = super.getObjectInstance(obj, name, nameCtx, environment);
    if (o != null) {
        BasicDataSource ds = (BasicDataSource) o;
        if (ds.getPassword() != null && ds.getPassword().length() > 0) {
            String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
            ds.setPassword(pwd);
        }
        return ds;
    } else {
        return null;
    }
}

Hope this helps.

这篇关于如何避免为tomcat的server.xml清楚存储密码DataSource的资源定义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
服务器开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆