Hello, DB password is secret information and should not be exposed via JMX. The tomcat ConnectionPool class implements ConnectionPoolMBean interface. This interface exposes connection pool configuration and statistics. However, because this interface extends PoolConfiguration which has "getDbProperties()" method that exposes the "password" property in plain text.
The getPassword() method in DataSourceProxy class (which implements PoolConfiguration interface) correctly does not return the password but just a dummy value "Password not available as DataSource/JMX operation." However, the password is still exposed via getDbProperties() method, which is an unexpected behavior. Due to the exposure of plain-text password, we cannot use the ConnectionPoolMBean class out of the box in our production environment and have to define our own MBean interface to expose the ConnectionPool bean. Please fix this. Thanks, Te --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
