Various Topics on Java

09-04-2004

I'm asking because I need to hold onto a p***word throughout the project I'm
currently working on. If the session object is stored only in RAM, I'm fine. If
it's stored in persistent storage, I'm going to have to encrypt the p***word.

--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.

09-05-2004

"Steve Sobol" <sjsobol@JustThe.net> wrote in message
news:chd7ef$f89$1@ratbert.glorb.com...
> I'm asking because I need to hold onto a p***word throughout the project
I'm
> currently working on. If the session object is stored only in RAM, I'm
fine. If
> it's stored in persistent storage, I'm going to have to encrypt the
p***word.
>
> --
> JustThe.net Internet & New Media Services, http://JustThe.net/
> Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) /
sjsobol@JustThe.net
> PGP Key available from your friendly local key server (0xE3AE35ED)
> Apple Valley, California Nothing scares me anymore. I have three kids.

It depends on the product you're using, and also how it's configured. If
session persistence/replication is on then the p***word could be stored or
transmitted at some point, so I'd probably encrypt to be safe. Tomcat for
example saves session data to file by default when it's shut down.

09-05-2004

Brusque wrote:
> It depends on the product you're using, and also how it's configured. If
> session persistence/replication is on then the p***word could be stored or
> transmitted at some point, so I'd probably encrypt to be safe. Tomcat for
> example saves session data to file by default when it's shut down.

**nodding** well, this product has a desktop version, and when I save the
p***word to a file it's DES encrypted. I will do the same thing in the JSP version.

Thanks.

--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.

09-05-2004

Steve Sobol wrote:
> I'm asking because I need to hold onto a p***word throughout the project
> I'm currently working on. If the session object is stored only in RAM,
> I'm fine. If it's stored in persistent storage, I'm going to have to
> encrypt the p***word.

But is this not "Much Ado About Nothing"? What I mean by that is the
fact that only sys admins or the user id running the servlet container
are going to be able to access the files used for persistence. Since
all of this is occuring on the server side, where are the security
considerations?
I'm presuming that the server is secured from external access in
accordance with traditional best practices...

09-05-2004

Steve Sobol wrote:
> I'm asking because I need to hold onto a p***word throughout the project
> I'm currently working on.

Could I ask why?

09-05-2004

Sudsy wrote:

> Steve Sobol wrote:
>
>> I'm asking because I need to hold onto a p***word throughout the
>> project I'm currently working on. If the session object is stored only
>> in RAM, I'm fine. If it's stored in persistent storage, I'm going to
>> have to encrypt the p***word.
>
>
> But is this not "Much Ado About Nothing"?

Nope. I try to keep my server locked down and updated. But there's always the
chance someone will be able to break in and grab stuff.

--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.

09-05-2004

Frank wrote:

> Steve Sobol wrote:
>
>> I'm asking because I need to hold onto a p***word throughout the
>> project I'm currently working on.
>
>
> Could I ask why?

Because I need to send it along with some other data to accomplish some of the
tasks the site is going to accomplish.

--
JustThe.net Internet & New Media Services, http://JustThe.net/
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
PGP Key available from your friendly local key server (0xE3AE35ED)
Apple Valley, California Nothing scares me anymore. I have three kids.

09-04-2004	#1
..e.. ..b..	Where are JSP session variables stored? I'm asking because I need to hold onto a p*word throughout the project I'm currently working on. If the session object is stored only in RAM, I'm fine. If it's stored in persistent storage, I'm going to have to encrypt the p*word. -- JustThe.net Internet & New Media Services, http://JustThe.net/ Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net PGP Key available from your friendly local key server (0xE3AE35ED) Apple Valley, California Nothing scares me anymore. I have three kids.

09-05-2004	#2
..usq..	Re: Where are JSP session variables stored? "Steve Sobol" <sjsobol@JustThe.net> wrote in message news:chd7ef$f89$1@ratbert.glorb.com... > I'm asking because I need to hold onto a p*word throughout the project I'm > currently working on. If the session object is stored only in RAM, I'm fine. If > it's stored in persistent storage, I'm going to have to encrypt the pword. > > -- > JustThe.net Internet & New Media Services, http://JustThe.net/ > Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net > PGP Key available from your friendly local key server (0xE3AE35ED) > Apple Valley, California Nothing scares me anymore. I have three kids. It depends on the product you're using, and also how it's configured. If session persistence/replication is on then the p**word could be stored or transmitted at some point, so I'd probably encrypt to be safe. Tomcat for example saves session data to file by default when it's shut down.

09-05-2004	#3
..e.. ..b..	Re: Where are JSP session variables stored? Brusque wrote: > It depends on the product you're using, and also how it's configured. If > session persistence/replication is on then the p*word could be stored or > transmitted at some point, so I'd probably encrypt to be safe. Tomcat for > example saves session data to file by default when it's shut down. nodding well, this product has a desktop version, and when I save the p*word to a file it's DES encrypted. I will do the same thing in the JSP version. Thanks. -- JustThe.net Internet & New Media Services, http://JustThe.net/ Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net PGP Key available from your friendly local key server (0xE3AE35ED) Apple Valley, California Nothing scares me anymore. I have three kids.

09-05-2004	#4
..d..	Re: Where are JSP session variables stored? Steve Sobol wrote: > I'm asking because I need to hold onto a p*word throughout the project > I'm currently working on. If the session object is stored only in RAM, > I'm fine. If it's stored in persistent storage, I'm going to have to > encrypt the p*word. But is this not "Much Ado About Nothing"? What I mean by that is the fact that only sys admins or the user id running the servlet container are going to be able to access the files used for persistence. Since all of this is occuring on the server side, where are the security considerations? I'm presuming that the server is secured from external access in accordance with traditional best practices...

09-05-2004	#5
..a..	Re: Where are JSP session variables stored? Steve Sobol wrote: > I'm asking because I need to hold onto a p***word throughout the project > I'm currently working on. Could I ask why?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode