tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Te Li <Te...@citrix.com>
Subject Re: ConnectionPoolMBean should not expose plain-text DB password
Date Fri, 05 Oct 2012 17:51:48 GMT
I am not familiar with JIoEndpoint discussed in
https://issues.apache.org/bugzilla/show_bug.cgi?id=53139.

The issue I'm facing is something different. Apparently, some effort was
made to hide the DB password, but the DB password is still exposed via
another getter (getDbProperties()). This seems to be a bug to me.

DB passwords are highly sensitive information. JMX admins shouldn't see
those either. It's not a reasonable assumption that it's okay for JMX
admins to see exposed DB passwords (which should never be exposed in
plaintext or encrypted form). Those who work in a company would probably
concur with this point.

Does that make sense to anyone?

Thanks,
Te

On 10/5/12 6:51 AM, "Shanti Suresh" <shanti@umich.edu> wrote:

>Hi Te,
>
>Will it be an option for you to create a JSP as was recently discussed in
>this list, to expose just the particular MBeans that you need?
>
>Thanks.
>                  -Shanti
>
>On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz <
>chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Te,
>>
>> On 10/4/12 1:56 PM, Te Li wrote:
>> > DB password is secret information and should not be exposed via
>> > JMX. The tomcat ConnectionPool class implements
>> > ConnectionPoolMBean interface. This interface exposes connection
>> > pool configuration and statistics. However, because this interface
>> > extends PoolConfiguration which has "getDbProperties()" method that
>> > exposes the "password" property in plain text.
>> >
>> > The getPassword() method in DataSourceProxy class (which
>> > implements PoolConfiguration interface) correctly does not return
>> > the password but just a dummy value "Password not available as
>> > DataSource/JMX operation."  However, the password is still exposed
>> > via getDbProperties() method, which is an unexpected behavior.
>> >
>> > Due to the exposure of plain-text password, we cannot use the
>> > ConnectionPoolMBean class out of the box in our production
>> > environment and have to define our own MBean interface to expose
>> > the ConnectionPool bean. Please fix this.
>>
>> Sounds a lot like
>>https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
>>
>> Given the response to that enhancement request, I suspect yours will
>> get the same treatment were you to actually file it in Bugzilla.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj
>> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI
>> =7BaH
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message