db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: Protecting system properties
Date Thu, 07 Feb 2008 17:46:27 GMT
John Embretsen wrote:

[lots of good comments snipped]

> We, as Derby developers, should strive to keep the sensitivity of the
> information stored as (derby) system properties to a minimum. For 
> example, we
> should recommend against defining usernames and passwords in cleartext 
> as system
> properties (especially in scenarios where remote JMX is enabled), and 
> should
> provide better alternatives to the users.

A better alternative already exists today. Derby system level properties 
can be specified in derby.properties, none of these values are then set 
as JVM system properties, and thus they will not appear to any standard 
jmx bean.

Exposing these (or a security conscious subset of them) through Derby's 
SystemMBean is fine, though I'm not sure that's what is being proposed 
by the jmx changes. I.e. does SystemMbean just display the value of the 
jvm system property or the value that derby is using (set as a jvm 
system property or in derby.properties)?

Dan.



Mime
View raw message