tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Te Li <>
Subject ConnectionPoolMBean should not expose plain-text DB password
Date Thu, 04 Oct 2012 17:56:25 GMT

DB password is secret information and should not be exposed via JMX. The tomcat ConnectionPool
class implements ConnectionPoolMBean interface. This interface exposes connection pool configuration
and statistics. However, because this interface extends PoolConfiguration which has "getDbProperties()"
method that exposes the "password" property in plain text.

The getPassword() method in DataSourceProxy class (which implements PoolConfiguration interface)
correctly does not return the password but just a dummy value "Password not available as DataSource/JMX
operation."  However, the password is still exposed via getDbProperties() method, which is
an unexpected behavior.

Due to the exposure of plain-text password, we cannot use the ConnectionPoolMBean class out
of the box in our production environment and have to define our own MBean interface to expose
the ConnectionPool bean. Please fix this.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message