https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
Bug #: 53139
Summary: Prevent showing keystore/truststore passwords via JMX
in cleartext (with solution)
Product: Tomcat 7
Version: 7.0.27
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: randy.very.g...@gmail.com
Classification: Unclassified
Created attachment 28667
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28667
JConsole view of a freshly installed Tomcat 7, with SSL enabled in server.xml
Issue:
I've noticed that Tomcat 7.0.27 exposes the keystore and truststore passwords
via JMX in cleartext (in the bean JIoEndpoint).
This was not the case in Tomcat 6, for example the JIoEndpoint bean which
was exposed had much fewer attributes.
I have specified the passwords as attributes in the HTTPS connector
tag in server.xml.
Solution:
My quick solution was to add mbeans-descriptors.xml to the package
org.apache.tomcat.util.net (where JIOEndpoint lies) with this content:
<mbeans-descriptors>
<mbean name="ThreadPool"
description="JIoEndpoint"
domain="Catalina"
group="Connector"
type="org.apache.tomcat.util.net.JIoEndpoint">
</mbean>
</mbeans-descriptors>
With this, no attributes from JIoEndpoint are exposed anymore.
A better solution would be to add a more meaningful mbeans-descriptors.xml,
only filtering out critical keystore/truststore information.
Also see here:
http://www.mail-archive.com/users@tomcat.apache.org/msg98216.html
Thanks
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
