tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: ConnectionPoolMBean should not expose plain-text DB password
Date Fri, 05 Oct 2012 21:11:57 GMT
Hash: SHA1


On 10/5/12 1:51 PM, Te Li wrote:
> I am not familiar with JIoEndpoint discussed in 
> The issue I'm facing is something different. Apparently, some
> effort was made to hide the DB password, but the DB password is
> still exposed via another getter (getDbProperties()). This seems to
> be a bug to me.
> DB passwords are highly sensitive information. JMX admins shouldn't
> see those either. It's not a reasonable assumption that it's okay
> for JMX admins to see exposed DB passwords (which should never be
> exposed in plaintext or encrypted form). Those who work in a
> company would probably concur with this point.

I think most of us work at companies, and I happen to disagree with you.

Tomcat passwords -- at least those in server.xml -- are in plain-text
form. All requests to obfuscate them have been denied because it is
simply not possible to properly secure them: the key always must be
available to the administrator in order to read the obfuscated
password and therefore any steps to "secure" the password are a charade.

There is a wealth of knowledge available via JMX, and it should only
be exposed to administrators. Any JMX-enabled administrator will be
able to deploy an arbitrary webapp to go and fetch the data you are
trying to hide. You are wasting your time.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message