On 01/10/2010 19:32, Rainer Jung wrote: > Should we remove the following attributes from the respective mbeans? > > - "shutdown" from "Catalina:type=Server"
If you've got JMX access, there's various 'stop()' methods to call. Maybe this one doesn't matter so much, as the socket's bound to a local address anyway. > - "keyPass" from "Catalina:type=ProtocolHandler,port=8080" > - "password" from "User" > - "connectionPassword" from "JDBCRealm" > - "password" for a DataSource (?) > > Or at least allow to drop them from a jmxproxy query (e.g. > qry=*:*&filter=nopass). I've seen a DB impl (C3P0 maybe) where the field is present, but the data obscured with stars. Not sure how that was achieved. > Of course it is likely that people having access to JMX are already > powerful enough to do harm. On the other hand at least exports via > jmxproxy are not to unlikely to get passed outside for troubleshooting. > > Is anyone aware of more of those? The new pool impl, tomcat-jdbc. > What about user names for the cases where they also exist? Leaving those in might be a good idea. p > Regards, > > Rainer > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
