On Tue, 14 Aug 2001, Jonathan Cobb wrote:
> Craig R. McClanahan wrote:
>
> >On Mon, 13 Aug 2001, Christopher Cain wrote:
> >
> >>I'm in the process of cleaning up the 4.0 SSLServerSocketFactory, and it
> >>occurs to me that I find the getKeystorePass method offensive. There
> >>should never be any reason to retrieve the keystore password once it's
> >>set, and it makes me uncomfortable having the method there. I'm not sure
> >>if it could somehow be called from a webapp,
> >>
> >It cannot.
> >
> Correct me if I am wrong, but this is because the classes used by each
> webapp are loaded by a webapp-specific classloader, right?
>
That's part of the reason an app cannot do this. The more important
reason is that SSLServerSocketFactory (and all the other Catalina internal
classes) are loaded from a class loader that is *not* in the hierarchy
visible to web apps. The only internal classes that a web app sees are
the facade objects around the Servlet APIs (such as the class that
implements HttpServletRequest).
> >>but it could certainly be
> >>called from a malicious module.
> >>
> >It can.
> >
> And again, this is correct because the malicious module would be loaded
> by the same classloader used to load the tomcat core classes, right?
>
Yes. Classes loaded from the internal class loader (including
valves) have pretty much free rein inside the server.
> >>I'm working on a module to allow administrators to remove the password
> >>from server.xml, this method becomes a security hole.
> >>
> I think the idea of removing passwords from config files, or at least
> having the option to do so, is a great one. Keep us posted on the
> status of your module. :)
>
> >>There
> >>should never be a way to display passwords in any system.
> >>
> Agreed, *especially* in the case of plaintext passwords.
>
>
> - jonathan.
>
>
>
Craig
