tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanti Suresh <sha...@umich.edu>
Subject Re: ConnectionPoolMBean should not expose plain-text DB password
Date Fri, 05 Oct 2012 18:16:24 GMT
Hi Te,

Yes, it would be very nice if the DB passwords don't get exposed via JMX.
If we could have an additional role to get and set some of the sensitive
MBeans, that would be really nice.  More simply, if getDbProperties() can
also simply return some dummy warning information, that will work.

Thanks.
                      -Shanti

On Fri, Oct 5, 2012 at 1:51 PM, Te Li <Te.Li@citrix.com> wrote:

> I am not familiar with JIoEndpoint discussed in
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53139.
>
> The issue I'm facing is something different. Apparently, some effort was
> made to hide the DB password, but the DB password is still exposed via
> another getter (getDbProperties()). This seems to be a bug to me.
>
> DB passwords are highly sensitive information. JMX admins shouldn't see
> those either. It's not a reasonable assumption that it's okay for JMX
> admins to see exposed DB passwords (which should never be exposed in
> plaintext or encrypted form). Those who work in a company would probably
> concur with this point.
>
> Does that make sense to anyone?
>
> Thanks,
> Te
>
> On 10/5/12 6:51 AM, "Shanti Suresh" <shanti@umich.edu> wrote:
>
> >Hi Te,
> >
> >Will it be an option for you to create a JSP as was recently discussed in
> >this list, to expose just the particular MBeans that you need?
> >
> >Thanks.
> >                  -Shanti
> >
> >On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz <
> >chris@christopherschultz.net> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Te,
> >>
> >> On 10/4/12 1:56 PM, Te Li wrote:
> >> > DB password is secret information and should not be exposed via
> >> > JMX. The tomcat ConnectionPool class implements
> >> > ConnectionPoolMBean interface. This interface exposes connection
> >> > pool configuration and statistics. However, because this interface
> >> > extends PoolConfiguration which has "getDbProperties()" method that
> >> > exposes the "password" property in plain text.
> >> >
> >> > The getPassword() method in DataSourceProxy class (which
> >> > implements PoolConfiguration interface) correctly does not return
> >> > the password but just a dummy value "Password not available as
> >> > DataSource/JMX operation."  However, the password is still exposed
> >> > via getDbProperties() method, which is an unexpected behavior.
> >> >
> >> > Due to the exposure of plain-text password, we cannot use the
> >> > ConnectionPoolMBean class out of the box in our production
> >> > environment and have to define our own MBean interface to expose
> >> > the ConnectionPool bean. Please fix this.
> >>
> >> Sounds a lot like
> >>https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
> >>
> >> Given the response to that enhancement request, I suspect yours will
> >> get the same treatment were you to actually file it in Bugzilla.
> >>
> >> - -chris
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> >> Comment: GPGTools - http://gpgtools.org
> >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
> >>
> >> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj
> >> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI
> >> =7BaH
> >> -----END PGP SIGNATURE-----
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message