Re: ConnectionPoolMBean should not expose plain-text DB password

Fri, 05 Oct 2012 06:51:51 -0700 

Hi Te,

Will it be an option for you to create a JSP as was recently discussed in
this list, to expose just the particular MBeans that you need?

Thanks.
                  -Shanti

On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Te,
>
> On 10/4/12 1:56 PM, Te Li wrote:
> > DB password is secret information and should not be exposed via
> > JMX. The tomcat ConnectionPool class implements
> > ConnectionPoolMBean interface. This interface exposes connection
> > pool configuration and statistics. However, because this interface
> > extends PoolConfiguration which has "getDbProperties()" method that
> > exposes the "password" property in plain text.
> >
> > The getPassword() method in DataSourceProxy class (which
> > implements PoolConfiguration interface) correctly does not return
> > the password but just a dummy value "Password not available as
> > DataSource/JMX operation."  However, the password is still exposed
> > via getDbProperties() method, which is an unexpected behavior.
> >
> > Due to the exposure of plain-text password, we cannot use the
> > ConnectionPoolMBean class out of the box in our production
> > environment and have to define our own MBean interface to expose
> > the ConnectionPool bean. Please fix this.
>
> Sounds a lot like https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
>
> Given the response to that enhancement request, I suspect yours will
> get the same treatment were you to actually file it in Bugzilla.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj
> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI
> =7BaH
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to