From users-return-237017-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Thu Oct 4 17:56:57 2012 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 28048DBF3 for ; Thu, 4 Oct 2012 17:56:57 +0000 (UTC) Received: (qmail 76730 invoked by uid 500); 4 Oct 2012 17:56:53 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 76684 invoked by uid 500); 4 Oct 2012 17:56:53 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 76675 invoked by uid 99); 4 Oct 2012 17:56:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Oct 2012 17:56:53 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Te.Li@citrix.com designates 216.219.126.8 as permitted sender) Received: from [216.219.126.8] (HELO emailfilter.citrixonline.com) (216.219.126.8) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Oct 2012 17:56:46 +0000 Received: from pps.filterd (emailfilter [127.0.0.1]) by emailfilter.citrixonline.com (8.14.3/8.14.3) with SMTP id q94Hu4pS008147 for ; Thu, 4 Oct 2012 10:56:24 -0700 Received: from mail.citrixonline.com (sbapmail04.ad.corp.expertcity.com [10.1.6.194]) by emailfilter.citrixonline.com with ESMTP id 17sek5r66p-1 for ; Thu, 04 Oct 2012 10:56:24 -0700 Received: from SBAPMAIL05.ad.corp.expertcity.com ([169.254.2.118]) by sbapmail04.ad.corp.expertcity.com ([169.254.1.116]) with mapi id 14.02.0247.003; Thu, 4 Oct 2012 10:56:25 -0700 From: Te Li To: "users@tomcat.apache.org" Subject: ConnectionPoolMBean should not expose plain-text DB password Thread-Topic: ConnectionPoolMBean should not expose plain-text DB password Thread-Index: AQHNolmSI0lXsvOskUeDA6q+eF+huw== Date: Thu, 4 Oct 2012 17:56:25 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.2.4.120824 x-originating-ip: [10.1.6.102] Content-Type: text/plain; charset="us-ascii" Content-ID: <825AFB869CF67346A30B89DC74E52131@citrixonline.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855,1.0.431,0.0.0000 definitions=2012-10-04_05:2012-10-04,2012-10-04,1970-01-01 signatures=0 X-Proofpoint-Spam-Reason: safe X-Virus-Checked: Checked by ClamAV on apache.org Hello, DB password is secret information and should not be exposed via JMX. The to= mcat ConnectionPool class implements ConnectionPoolMBean interface. This in= terface exposes connection pool configuration and statistics. However, beca= use this interface extends PoolConfiguration which has "getDbProperties()" = method that exposes the "password" property in plain text. The getPassword() method in DataSourceProxy class (which implements PoolCon= figuration interface) correctly does not return the password but just a dum= my value "Password not available as DataSource/JMX operation." However, th= e password is still exposed via getDbProperties() method, which is an unexp= ected behavior. Due to the exposure of plain-text password, we cannot use the ConnectionPoo= lMBean class out of the box in our production environment and have to defin= e our own MBean interface to expose the ConnectionPool bean. Please fix thi= s. Thanks, Te --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org