Encryption of Oracle connection passwords in mapfiles

Stephen Woodbridge woodbri at SWOODBRIDGE.COM
Fri Mar 17 14:21:45 EST 2006

Another alternative would be to have apache set the credentials into 
environment variables for the mapserver process, and then have mapserver 
check for the existence of the environment variables and if they exist 
then they would override any values that might be in the mapfile.

I guess this doesn't work too well if every mapfile needs different 
credentials. I guess this could be worked around with substitution 
strings like:


I used '@' to refer to the environment instead of '%' that refers to the 
  CGI parameters. The actual strings between the @...@ could be anything 
unique in the environment and mod_env in apache would handle setting the 

-Steve W.

Daniel Morissette wrote:
> We have a need to encrypt (or protect somehow) the Oracle connection 
> passwords in map files to avoid having them as plain text. I will look 
> into this some more and write a RFC, but before getting too far I wanted 
> to gather feedback, in case anyone already had their own ideas on this.
> What I'm thinking of doing is creating a utility to encrypt a password, 
> that the developer would then copy/paste into the connection string in 
> the mapfile, possibly with some special delimiter to indicate that it's 
> encrypted. MapServer would decrypt the password internally and use the 
> decrypted password for the connection.
> Unfortunately this requires the use of reversible encryption which is 
> not really that safe, especially when the decryption function is open 
> source, but at least makes it harder to figure the password than just 
> using plain text.
> I would also like to setup a mechanism that will work for all other DB 
> CONNECTIONs so I am interested in comments from all the DB connection 
> maintainers.
> Daniel

More information about the mapserver-dev mailing list