问题
How do I encrypt the clear text passwords in my context.xml file?
I've tried using digest as stated here: https://serverfault.com/questions/295628/how-do-i-use-non-plaintext-passwords-for-tomcat-users but my portlet will end up with a "BeanLocator is null for servlet context" error.
Have also tried creating this: How to avoid storing passwords in the clear for tomcat's server.xml Resource definition of a DataSource? but it was unable to load my Class File (NoClassDefFound Exception)
Or do the above methods work and I just have some issue implementing it?
回答1:
The first link that you give does not apply to the problem, as its for users that tomcat authenticates - and not datasources. Liferay uses completely different ways to identify users and properly hashes passwords already.
The second link is what you're looking for - In order to make it work, you'll have to package your datasourcefactory in a jar file and add it to tomcat's global classpath, e.g. in tomcat/lib or, for a standard Liferay bundle, tomcat/lib/ext. It won't work if you have the jar packaged in a web application as it needs to be available on the overall server side, and not only within a particular web application.
Note the comment on that answer: This is rather scrambling than encrypting, as the same process can easily be undone by any attacker. Yes, it will raise the bar, but it's not really adding strong security. As sooner or later the password will need to be readable by the server, there's almost no way to make this process secure, other than forcing a manual input of the password upon server start. Naturally that's not very popular either.
And yet another option would be to use an appserver that supports non-plaintext saving of passwords out-of-the-box. Same restrictions apply here: It can only be scrambling those passwords, not encrypt in a safe manner.
来源:https://stackoverflow.com/questions/31202697/encrypting-clear-text-database-password-in-context-xml-for-liferay