如何避免为tomcat的server.xml清楚存储密码DataSource的资源定义? [英] How to avoid storing passwords in the clear for tomcat's server.xml Resource definition of a DataSource?
问题描述
tomcat的 server.xml
中的资源定义看起来像这样...
< Resource
name =jdbc / tox
scope =Shareable
type =javax.sql.DataSource
url =jdbc:oracle:thin:@ yourDBserver.yourCompany.com:1521:yourDBsid
driverClassName =oracle.jdbc.pool.OracleDataSource
username =tox
password =toxbaby
maxIdle =3
maxActive =10
removeAbandoned =true
removeAbandonedTimeout =60
testOnBorrow =true
validationQuery =select * from dual
logAbandoned =true
debug =99/>
密码已清除。如何避免这种情况?
如前所述,加密密码只是将问题移到其他地方。
无论如何,这很简单。
只需要写一个带有静态字段的类来为您的密钥等等,以及静态方法加密,解密您的密码。
在Tomcat的配置文件( server.xml
或 yourapp.xml
...)中加密您的密码这个类。
在Tomcat中解密密码on the fly,扩展DBCP的 BasicDataSourceFactory
$ b
< Resource
name =jdbc / myDataSource
auth =Container
type =javax.sql.DataSource
username = user
password =encryptedpassword
driverClassName =driverClass
factory =mypackage.MyCustomBasicDataSourceFactory
url =jdbc:blabla:// .../> ;
而对于自定义工厂:
package mypackage;
....
public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {
@Override
public Object getObjectInstance(Object obj,Name name,Context nameCtx,Hashtable environment)throws Exception {
Object o = super.getObjectInstance(obj,name,nameCtx,environment);
if(o!= null){
BasicDataSource ds =(BasicDataSource)o;
if(ds.getPassword()!= null& ds.getPassword()。length()> 0){
String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
ds.setPassword(pwd);
}
return ds;
} else {
return null;
}
}
希望这有帮助。
The resource definition in tomcat's server.xml
looks something like this...
<Resource
name="jdbc/tox"
scope="Shareable"
type="javax.sql.DataSource"
url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"
driverClassName="oracle.jdbc.pool.OracleDataSource"
username="tox"
password="toxbaby"
maxIdle="3"
maxActive="10"
removeAbandoned="true"
removeAbandonedTimeout="60"
testOnBorrow="true"
validationQuery="select * from dual"
logAbandoned="true"
debug="99"/>
The password is in the clear. How to avoid this?
As said before encrypting passwords is just moving the problem somewhere else.
Anyway, it's quite simple.
Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords.
Encrypt your password in Tomcat's configuration file (server.xml
or yourapp.xml
...) using this class.
And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory
and use this factory in your resource.
It will look like:
<Resource
name="jdbc/myDataSource"
auth="Container"
type="javax.sql.DataSource"
username="user"
password="encryptedpassword"
driverClassName="driverClass"
factory="mypackage.MyCustomBasicDataSourceFactory"
url="jdbc:blabla://..."/>
And for the custom factory:
package mypackage;
....
public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {
@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
Object o = super.getObjectInstance(obj, name, nameCtx, environment);
if (o != null) {
BasicDataSource ds = (BasicDataSource) o;
if (ds.getPassword() != null && ds.getPassword().length() > 0) {
String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
ds.setPassword(pwd);
}
return ds;
} else {
return null;
}
}
Hope this helps.
这篇关于如何避免为tomcat的server.xml清楚存储密码DataSource的资源定义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!