Return-Path: 
 <users-return-237028-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 00E38D0B4
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri,  5 Oct 2012 13:51:54 +0000 (UTC)
Received: (qmail 93222 invoked by uid 500); 5 Oct 2012 13:51:50 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 93172 invoked by uid 500); 5 Oct 2012 13:51:50 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 93161 invoked by uid 99); 5 Oct 2012 13:51:50 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2012 13:51:50 +0000
X-ASF-Spam-Status: No, hits=2.2 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.85.219.45] (HELO mail-oa0-f45.google.com) (209.85.219.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Oct 2012 13:51:46 +0000
Received: by mail-oa0-f45.google.com with SMTP id i18so2431430oag.18
        for <users@tomcat.apache.org>; Fri, 05 Oct 2012 06:51:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:x-gm-message-state;
        bh=wPmrm5TU6Ucr5vxvxA58N+hgofsxgLgyMCfEWz6g6ng=;
        b=GhL7pXlOrT4xB9Dyu0/zB9CEZ9TcY5EQqbbUGLLYK0kjTIzJalL99oj0ZkQYEcxGQ7
         YbKOaJMBCCrYHkmQy51QdU4CZYDjPU4lLqv8feU6URVSQ+lWESAK9adDVv7Zugi0Pdhc
         LT+DWa5W2eAUdp6qPcD3j6rjS0yT7Rf/wQtnkdiNP+Jjhzu9XyqE4YRKcXRNwngvcMXv
         PRx53E7YfJsxkRPkVliEdjd2vOgD6pqYeE7bhwWxJ8as/JmZNSvMD5R9wecsWBYIosvk
         I0gg4u8T0fwWgp+vcWf+DAZKWFB71jI2VTliHP2VIYBAFPWhrk8pS2NzljYDMT+uSpL3
         flag==
MIME-Version: 1.0
Received: by 10.182.157.45 with SMTP id wj13mr7177733obb.58.1349445084800;
 Fri, 05 Oct 2012 06:51:24 -0700 (PDT)
Received: by 10.76.167.3 with HTTP; Fri, 5 Oct 2012 06:51:24 -0700 (PDT)
In-Reply-To: <506DDE3C.6000604@christopherschultz.net>
References: <CC931BF6.313DA%te.li@citrixonline.com>
	<506DDE3C.6000604@christopherschultz.net>
Date: Fri, 5 Oct 2012 09:51:24 -0400
Message-ID: 
 <CAL_hNmZ0vaNNB3qz81878aeWSCrns8vkZErTqL7WO7fvRsiOHQ@mail.gmail.com>
Subject: Re: ConnectionPoolMBean should not expose plain-text DB password
From: Shanti Suresh <shanti@umich.edu>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=f46d044269dcec64de04cb502aa2
X-Gm-Message-State: 
 ALoCoQnrOaiHREbOWebIVKNFYgdDvlUtiIV3gFUKafCK/7ckXa64oXxp3pUpb6/fdLujqyfDAh5x
X-Virus-Checked: Checked by ClamAV on apache.org

--f46d044269dcec64de04cb502aa2
Content-Type: text/plain; charset=ISO-8859-1

Hi Te,

Will it be an option for you to create a JSP as was recently discussed in
this list, to expose just the particular MBeans that you need?

Thanks.
                  -Shanti

On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Te,
>
> On 10/4/12 1:56 PM, Te Li wrote:
> > DB password is secret information and should not be exposed via
> > JMX. The tomcat ConnectionPool class implements
> > ConnectionPoolMBean interface. This interface exposes connection
> > pool configuration and statistics. However, because this interface
> > extends PoolConfiguration which has "getDbProperties()" method that
> > exposes the "password" property in plain text.
> >
> > The getPassword() method in DataSourceProxy class (which
> > implements PoolConfiguration interface) correctly does not return
> > the password but just a dummy value "Password not available as
> > DataSource/JMX operation."  However, the password is still exposed
> > via getDbProperties() method, which is an unexpected behavior.
> >
> > Due to the exposure of plain-text password, we cannot use the
> > ConnectionPoolMBean class out of the box in our production
> > environment and have to define our own MBean interface to expose
> > the ConnectionPool bean. Please fix this.
>
> Sounds a lot like https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
>
> Given the response to that enhancement request, I suspect yours will
> get the same treatment were you to actually file it in Bugzilla.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj
> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI
> =7BaH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

--f46d044269dcec64de04cb502aa2--