tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject MBeans and credentials
Date Fri, 01 Oct 2010 18:32:44 GMT
Should we remove the following attributes from the respective mbeans?

- "shutdown" from "Catalina:type=Server"
- "keyPass" from "Catalina:type=ProtocolHandler,port=8080"
- "password" from "User"
- "connectionPassword" from "JDBCRealm"
- "password" for a DataSource (?)

Or at least allow to drop them from a jmxproxy query (e.g. 
qry=*:*&filter=nopass).

Of course it is likely that people having access to JMX are already 
powerful enough to do harm. On the other hand at least exports via 
jmxproxy are not to unlikely to get passed outside for troubleshooting.

Is anyone aware of more of those?
What about user names for the cases where they also exist?

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message