[Bug 53968] New: Database password is exposed via JMX in getDbProperties() method

Thu, 04 Oct 2012 11:02:31 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=53968

          Priority: P2
            Bug ID: 53968
          Assignee: dev@tomcat.apache.org
           Summary: Database password is exposed via JMX in
                    getDbProperties() method
          Severity: normal
    Classification: Unclassified
                OS: Mac OS X 10.4
          Reporter: matt.br...@citrixonline.com
          Hardware: PC
            Status: NEW
           Version: unspecified
         Component: jdbc-pool
           Product: Tomcat Modules

When using org.apache.tomcat.jdbc.pool.DataSource and the no-arg constructor,
the plaintext password of the connection is exposed via the JMX MBean via the
dbProperties field.

DataSource's superclass, org.apache.tomcat.jdbc.pool.DataSourceProxy, contains
the following code which prevents the connection password from being exposed
via JMX:

    /**
     * @return DOES NOT RETURN THE PASSWORD, IT WOULD SHOW UP IN JMX
     */
    @Override
    public String getPassword() {
        return "Password not available as DataSource/JMX operation.";
    }

However the implementation of setPassword() and getDbProperties() result in the
password being exposed via JMX anyway:

    @Override
    public void setPassword(String password) {
        this.poolProperties.setPassword(password);
       
this.poolProperties.getDbProperties().setProperty("password",this.poolProperties.getPassword());
    }

    @Override
    public Properties getDbProperties() {
        return getPoolProperties().getDbProperties();
    }

When using the no-arg constructor of DataSource, the poolProperties field is
set to an instance of PoolProperties, whose getDbProperties() returns the
dbProperties (including the password) reference as-is. The ConnectionPool class
however returns the dbProperties without the password field.

This seems inconsistent - steps are taken to prevent the password from being
exposed in the getPassword() method but it is still exposed in the
getDbProperties() method when using DataSource's no-arg constructor. 

It seems like the password should be prevented from being exposed in both
methods. Is there ever a use-case for exposing the password in the JMX MBean?

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to