db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: Protecting system properties
Date Thu, 07 Feb 2008 17:58:49 GMT
Daniel John Debrunner wrote:
> John Embretsen wrote:
>
> [lots of good comments snipped]
>
>> We, as Derby developers, should strive to keep the sensitivity of the
>> information stored as (derby) system properties to a minimum. For 
>> example, we
>> should recommend against defining usernames and passwords in 
>> cleartext as system
>> properties (especially in scenarios where remote JMX is enabled), and 
>> should
>> provide better alternatives to the users.
>
> A better alternative already exists today. Derby system level 
> properties can be specified in derby.properties, none of these values 
> are then set as JVM system properties, and thus they will not appear 
> to any standard jmx bean.
I think this will be a sensible recommendation to make when we roll out 
JMX-based tools for Derby. Potentially "derby.system.home" will still be 
visible as a system property.
>
> Exposing these (or a security conscious subset of them) through 
> Derby's SystemMBean is fine, though I'm not sure that's what is being 
> proposed by the jmx changes. I.e. does SystemMbean just display the 
> value of the jvm system property or the value that derby is using (set 
> as a jvm system property or in derby.properties)?
>
> Dan.
>
>


Mime
View raw message