Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 88119 invoked from network); 22 Feb 2007 17:35:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Feb 2007 17:35:38 -0000 Received: (qmail 48880 invoked by uid 500); 22 Feb 2007 17:35:44 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 48858 invoked by uid 500); 22 Feb 2007 17:35:43 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 48847 invoked by uid 99); 22 Feb 2007 17:35:43 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Feb 2007 09:35:43 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of ammulder@gmail.com designates 64.233.184.230 as permitted sender) Received: from [64.233.184.230] (HELO wr-out-0506.google.com) (64.233.184.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Feb 2007 09:35:32 -0800 Received: by wr-out-0506.google.com with SMTP id 68so250494wri for ; Thu, 22 Feb 2007 09:35:12 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=IrMurppapcBdePoz7XkUfTv+NWNU3Pqx6PM1pqZKaW0Gdp6L0gY5Xofz1Lrw5Mgovh0K32ml0yi2/DtImfy2WfZ3kE6gr6Y2GWZpHPWZginptQU+eAMBVaK2LwxQQVS7wwcTeIOzzbpFmIv61n5PepNFyYj0tVB+zWvg552/4HU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Ov9JXrLFIJAGONvdXTubo/+o37suCaGlRQqFKcwkLWaPZaU8NwjTK2M19gMZDdjo4b/rXukdfJ6s5bxjuf/IpGf6heTSBdTVwjiow8FkvZfuKFesWxzM99ihz4KPoVMMZkz7/99b41bcRB2yte8ER/GNRYluOxBjv62GebxL9AU= Received: by 10.115.54.1 with SMTP id g1mr387687wak.1172165711180; Thu, 22 Feb 2007 09:35:11 -0800 (PST) Received: by 10.115.22.16 with HTTP; Thu, 22 Feb 2007 09:35:11 -0800 (PST) Message-ID: <74e15baa0702220935s5ab3b312m445b36576017a135@mail.gmail.com> Date: Thu, 22 Feb 2007 12:35:11 -0500 From: "Aaron Mulder" Sender: ammulder@gmail.com To: user@geronimo.apache.org Subject: Re: Plaintext passwords in Geronimo plans and config files In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: 591add15abf9d6f5 X-Virus-Checked: Checked by ClamAV on apache.org There is some built-in encryption available. My recollection was that the server tried to apply it to settings with "password" in the name, but it may have changed in 1.2-beta. Thanks, Aaron On 2/22/07, Aman Nanner/MxI Technologies wrote: > > Hi, > > I have noticed that passwords in plans and configuration files in Geronimo > (1.2-beta) are not encrypted by the server, and remain in plaintext. For > example, passwords in: > > 1) Datasource connector plans > 2) ActiveMQ connector plans > 3) TomcatWebSSL Keystore passwords > 4) Geronimo properties realm passwords > > Having these plaintext passwords in these configuration files pose an > inherent security risk that would prevent us from deploying Geronimo out to > customer sites. Are there any plans to have all these passwords encrypted? > > Thanks, > Aman > > __________________________________________________________________________________ > * This message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose the message or any information contained in the message. If you have received this message in error, please advise the sender by reply e-mail , and delete the message, or call (collect) 001 613 747 4698. * > >