tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: MBeans and credentials
Date Sat, 02 Oct 2010 08:15:07 GMT
On 01/10/2010 19:32, Rainer Jung wrote:
> Should we remove the following attributes from the respective mbeans?
> - "shutdown" from "Catalina:type=Server"

If you've got JMX access, there's various 'stop()' methods to call.
Maybe this one doesn't matter so much, as the socket's bound to a local
address anyway.

> - "keyPass" from "Catalina:type=ProtocolHandler,port=8080"
> - "password" from "User"
> - "connectionPassword" from "JDBCRealm"
> - "password" for a DataSource (?)
> Or at least allow to drop them from a jmxproxy query (e.g.
> qry=*:*&filter=nopass).

I've seen a DB impl (C3P0 maybe) where the field is present, but the
data obscured with stars.  Not sure how that was achieved.

> Of course it is likely that people having access to JMX are already
> powerful enough to do harm. On the other hand at least exports via
> jmxproxy are not to unlikely to get passed outside for troubleshooting.
> Is anyone aware of more of those?

The new pool impl, tomcat-jdbc.

> What about user names for the cases where they also exist?

Leaving those in might be a good idea.


> Regards,
> Rainer
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message