tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: [OT] clear text keystore password in server.xml
Date Thu, 02 Sep 2010 16:55:35 GMT
On 02/09/2010 17:31, Christopher Schultz wrote:
> Pid,
> 
> On 9/2/2010 11:51 AM, Pid wrote:
>>> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>>>> 1. Use a password entered on the console during start-up (the "Apache
>>>>     httpd strategy")
> 
>> java.io.Console makes this easy in Java 6, but...
> 
> Right: before Java 6, you'd have to enter the password clear-text on the
> console. :(
> 
>>>> All other strategies simply move the problem to some other component.
>>>> Protecting one password requires another password which requires
>>>> protecting which ... you get the idea.
> 
>> ..lots of info is available by JMX, once the server is up.  In Java 6
>> you can attach to the process locally, without having to configure the
>> JMX ports because it injects the management agent into the virtual machine.
> 
> I hadn't considered that, never having used JMX. Are you saying that
> anyone with local access can snoop a JVM? What are the strategies
> available to prohibit that? Can you disable local JMX altogether? How
> about some kind of authentication?

Pretty much.  I'm not sure how to disable it, I've only just got the
hang of enabling it.

http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html

Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
for that.


p

>> Worse, if they're already on your server they've probably got a much
>> bigger surface area to attack, than just Tomcat.  And if they get root,
>> it's all over.
> 
> +1
> 
> -chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



Mime
View raw message