-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Te,
On 10/4/12 1:56 PM, Te Li wrote: > DB password is secret information and should not be exposed via > JMX. The tomcat ConnectionPool class implements > ConnectionPoolMBean interface. This interface exposes connection > pool configuration and statistics. However, because this interface > extends PoolConfiguration which has "getDbProperties()" method that > exposes the "password" property in plain text. > > The getPassword() method in DataSourceProxy class (which > implements PoolConfiguration interface) correctly does not return > the password but just a dummy value "Password not available as > DataSource/JMX operation." However, the password is still exposed > via getDbProperties() method, which is an unexpected behavior. > > Due to the exposure of plain-text password, we cannot use the > ConnectionPoolMBean class out of the box in our production > environment and have to define our own MBean interface to expose > the ConnectionPool bean. Please fix this. Sounds a lot like https://issues.apache.org/bugzilla/show_bug.cgi?id=53139 Given the response to that enhancement request, I suspect yours will get the same treatment were you to actually file it in Bugzilla. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj NicAoLU+IbFY3T0dw5DML2M4sssOh4gI =7BaH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
