On Feb 22, 2007, at 9:35 AM, Aaron Mulder wrote:
There is some built-in encryption available. My recollection was that
the server tried to apply it to settings with "password" in the name,
but it may have changed in 1.2-beta.
I haven't found the code that does this, but I think that it encrypts
config.xml rather than any plans. I could be very wrong although
since plans aren't needed at runtime I can't see how encryption could
be applied to them.
thanks
david jencks
Thanks,
Aaron
On 2/22/07, Aman Nanner/MxI Technologies <[EMAIL PROTECTED]> wrote:
Hi,
I have noticed that passwords in plans and configuration files in
Geronimo
(1.2-beta) are not encrypted by the server, and remain in
plaintext. For
example, passwords in:
1) Datasource connector plans
2) ActiveMQ connector plans
3) TomcatWebSSL Keystore passwords
4) Geronimo properties realm passwords
Having these plaintext passwords in these configuration files pose an
inherent security risk that would prevent us from deploying
Geronimo out to
customer sites. Are there any plans to have all these passwords
encrypted?
Thanks,
Aman
_____________________________________________________________________
_____________
* This message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that
is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to
receive for the addressee), you may not use, copy or disclose the
message or any information contained in the message. If you have
received this message in error, please advise the sender by reply
e-mail , and delete the message, or call (collect) 001 613 747
4698. *
