tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] clear text keystore password in server.xml
Date Thu, 02 Sep 2010 16:31:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pid,

On 9/2/2010 11:51 AM, Pid wrote:
>> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>>> 1. Use a password entered on the console during start-up (the "Apache
>>>     httpd strategy")
> 
> java.io.Console makes this easy in Java 6, but...

Right: before Java 6, you'd have to enter the password clear-text on the
console. :(

>>> All other strategies simply move the problem to some other component.
>>> Protecting one password requires another password which requires
>>> protecting which ... you get the idea.
> 
> ..lots of info is available by JMX, once the server is up.  In Java 6
> you can attach to the process locally, without having to configure the
> JMX ports because it injects the management agent into the virtual machine.

I hadn't considered that, never having used JMX. Are you saying that
anyone with local access can snoop a JVM? What are the strategies
available to prohibit that? Can you disable local JMX altogether? How
about some kind of authentication?

> Worse, if they're already on your server they've probably got a much
> bigger surface area to attack, than just Tomcat.  And if they get root,
> it's all over.

+1

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkx/0UQACgkQ9CaO5/Lv0PAtVgCaA0q97gYTRPrqB9FfiKCFhzPW
cFUAnRrKtuYAp7Ee5xTTDc66CEuU8AQM
=a7//
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message