Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 78799 invoked from network); 18 Nov 2006 18:42:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Nov 2006 18:42:05 -0000 Received: (qmail 27122 invoked by uid 500); 18 Nov 2006 18:42:08 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 27072 invoked by uid 500); 18 Nov 2006 18:42:08 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 27061 invoked by uid 99); 18 Nov 2006 18:42:08 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Nov 2006 10:42:08 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 18 Nov 2006 10:41:57 -0800 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 947A671430D for ; Sat, 18 Nov 2006 10:41:37 -0800 (PST) Message-ID: <25481727.1163875297584.JavaMail.jira@brutus> Date: Sat, 18 Nov 2006 10:41:37 -0800 (PST) From: "Vamsavardhana Reddy (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-1135) Keystore password in System.properties In-Reply-To: <94109302.1131230779581.JavaMail.jira@ajax.apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12451052 ] Vamsavardhana Reddy commented on GERONIMO-1135: ----------------------------------------------- In server built from branches\1.1 I have examined through debugger that SystemProperties does not contain javax.net.ssl.keyStorePassword and javax.net.ssl.trustStorePassword. In branches\1.2 no plan xml file has javax.net.ssl.keystorePassword=... entry. (Only configs\rmi-naming\src\plan\plan.xml has an entry, but it is commented out and so it won't count.) > Keystore password in System.properties > -------------------------------------- > > Key: GERONIMO-1135 > URL: http://issues.apache.org/jira/browse/GERONIMO-1135 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: security > Affects Versions: 1.0-M5 > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.2 > > > If you look at the System properties, the keystore and trust store passwords are in there. I'm not sure who puts them in there, but we need to find a way to stop that -- or else prevent applications from reading them? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira