tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: ConnectionPoolMBean should not expose plain-text DB password
Date Thu, 04 Oct 2012 19:06:36 GMT
Hash: SHA1


On 10/4/12 1:56 PM, Te Li wrote:
> DB password is secret information and should not be exposed via
> JMX. The tomcat ConnectionPool class implements
> ConnectionPoolMBean interface. This interface exposes connection
> pool configuration and statistics. However, because this interface
> extends PoolConfiguration which has "getDbProperties()" method that
> exposes the "password" property in plain text.
> The getPassword() method in DataSourceProxy class (which
> implements PoolConfiguration interface) correctly does not return
> the password but just a dummy value "Password not available as
> DataSource/JMX operation."  However, the password is still exposed
> via getDbProperties() method, which is an unexpected behavior.
> Due to the exposure of plain-text password, we cannot use the 
> ConnectionPoolMBean class out of the box in our production 
> environment and have to define our own MBean interface to expose
> the ConnectionPool bean. Please fix this.

Sounds a lot like

Given the response to that enhancement request, I suspect yours will
get the same treatment were you to actually file it in Bugzilla.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message