geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gianny Damour <gianny.dam...@optusnet.com.au>
Subject Re: svn commit: r594117 [1/2] - in /geronimo/server/trunk: assemblies/geronimo-jetty6-javaee5/src/main/assembly/ assemblies/geronimo-jetty6-javaee5/src/main/resources/cluster-repository/ assemblies/geronimo-jetty6-javaee5/src/main/resources/master-re
Date Wed, 14 Nov 2007 20:43:05 GMT
Hi Kevan,

Sorry for my late reply and thanks for raising this security issue. I  
believe that the encryption of password attributes is not enough in  
this case as password in this case is an XML JavaBean attribute;  
based on a cursory review of GBeanOverride, it seems that this case  
is not yet handled.

I will fix this problem tonight or in the next couple of days.

Thanks,
Gianny

On 15/11/2007, at 6:54 AM, Kevan Miller wrote:

>
>
> On Nov 13, 2007 4:40 PM, Kevan Miller <kevan.miller@gmail.com> wrote:
> Hi Gianny,
> I notice that this scheme is storing "admin" username and password  
> in clear text. It will also make the username/password accessible  
> via JMX. I think we need to avoid this. Would prefer to see this  
> information handled in a manner more consistent with our handling  
> of sensitive information in var/security. Would you agree?
>
> David Jencks reminded me that 'password' properties in config.xml  
> will be encrypted.
>
> --kevan
>
>
> --kevan
>
> On Nov 12, 2007, at 8:35 AM, gdamour@apache.org wrote:
>
>> Modified: geronimo/server/trunk/plugins/clustering/clustering/src/ 
>> main/plan/plan.xml
>> URL:  http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/ 
>> clustering/clustering/src/main/plan/plan.xml? 
>> rev=594117&r1=594116&r2=594117&view=diff
>> ===================================================================== 
>> =========
>> --- geronimo/server/trunk/plugins/clustering/clustering/src/main/ 
>> plan/plan.xml (original)
>> +++ geronimo/server/trunk/plugins/clustering/clustering/src/main/ 
>> plan/plan.xml Mon Nov 12 05:35:48 2007
>> @@ -27,4 +27,78 @@
>>         </reference>
>>     </gbean>
>>
>> +    <gbean name="MasterRepository"  
>> class="org.apache.geronimo.system.repository.Maven2Repository">
>> +        <attribute name="root">master-repository/</attribute>
>> +        <reference name="ServerInfo">
>> +            <name>ServerInfo</name>
>> +        </reference>
>> +    </gbean>
>> +
>> +    <gbean name="MasterConfigurationStore" class="  
>> org.apache.geronimo.clustering.deployment.MasterConfigurationStore">
>> +        <xml-attribute name="defaultEnvironment">
>> +            <environment xmlns=" http://geronimo.apache.org/xml/ 
>> ns/deployment-${geronimoSchemaVersion}">
>> +                <dependencies>
>> +                    <dependency>
>> +                        <groupId>${pom.groupId }</groupId>
>> +                        <artifactId>clustering</artifactId>
>> +                        <type>car</type>
>> +                    </dependency>
>> +                </dependencies>
>> +            </environment>
>> +        </xml-attribute>
>> +        <reference name="Repository">
>> +            <name>MasterRepository</name>
>> +        </reference>
>> +        <reference name="ClusterInfo">
>> +            <name>ClusterInfo</name>
>> +        </reference>
>> +        <reference name="ClusterConfigurationStoreClient">
>> +            <name>ClusterConfigurationStoreClient</name>
>> +        </reference>
>> +    </gbean>
>> +
>> +    <gbean name="ClusterConfigurationStoreClient"  
>> class="org.apache.geronimo.clustering.deployment.BasicClusterConfigur 
>> ationStoreClient ">
>> +        <attribute name="clusterConfigurationStoreNameQuery">? 
>> name=ClusterConfigurationStore</attribute>
>> +    </gbean>
>> +
>> +    <gbean name="ClusterRepository" class="  
>> org.apache.geronimo.system.repository.Maven2Repository">
>> +        <attribute name="root">cluster-repository/</attribute>
>> +        <reference name="ServerInfo">
>> +            <name>ServerInfo</name>
>> +        </reference>
>> +    </gbean>
>> +
>> +    <gbean name="ClusterStore"  
>> class="org.apache.geronimo.system.configuration.RepositoryConfigurati 
>> onStore">
>> +        <reference name="Repository">
>> +            <name>ClusterRepository</name>
>> +        </reference>
>> +    </gbean>
>> +
>> +    <gbean name="ClusterConfigurationStore"  
>> class="org.apache.geronimo.clustering.deployment.BasicClusterConfigur 
>> ationStore ">
>> +        <reference name="ConfigurationStore">
>> +            <name>ClusterStore</name>
>> +        </reference>
>> +    </gbean>
>> +
>> +    <!-- Static Cluster Configuration -->
>> +    <gbean name="ClusterInfo"  
>> class="org.apache.geronimo.clustering.config.BasicClusterInfo">
>> +        <attribute name="name">${PlanClusterName}</attribute>
>> +        <reference name="NodeInfos"></reference>
>> +    </gbean>
>> +
>> +    <gbean name="NodeInfo"  
>> class="org.apache.geronimo.clustering.config.BasicNodeInfo">
>> +          <attribute name="name">NodeName</attribute>
>> +          <xml-attribute name="extendedJMXConnectorInfo">
>> +              <ns:javabean xmlns:ns="http://geronimo.apache.org/ 
>> xml/ns/deployment/javabean-1.0 "  
>> class="org.apache.geronimo.clustering.config.BasicExtendedJMXConnecto 
>> rInfo">
>> +                  <ns:property name="username">system</ns:property>
>> +                  <ns:property name="password">manager</ns:property>
>> +                  <ns:property name="protocol">rmi</ns:property>
>> +                  <ns:property name="host">localhost</ns:property>
>> +                  <ns:property name="port">1099</ns:property>
>> +                  <ns:property name="urlPath">JMXConnector</ 
>> ns:property>
>> +                  <ns:property name="local">true</ns:property>
>> +              </ns:javabean>
>> +          </xml-attribute>
>> +      </gbean>
>> +
>> </module>
>
>


Mime
View raw message