[ http://issues.apache.org/jira/browse/GERONIMO-1135?page=comments#action_12357808 ]
Kevan Miller commented on GERONIMO-1135: ---------------------------------------- >From my scan of the code, looks like the properties are being set by >security\src\java\org\apache\geronimo\security\SecurityServiceImpl.java This isn't my cup-of-tea, but it seems that the properties are the only mechanism for specifying these passwords. I've seen some doc (http://java.sun.com/products/jsse/install.html) that implies the System properties are cleared when the default SSLContext and default TrustManagerFactory are initialized. So, it may be a matter of performing the appropriate initialization and the appropriate time. Barring that, we'd need to have the security manager block access. I'll have a look... > Keystore password in System.properties > -------------------------------------- > > Key: GERONIMO-1135 > URL: http://issues.apache.org/jira/browse/GERONIMO-1135 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M5 > Reporter: Aaron Mulder > Priority: Critical > Fix For: 1.0 > > If you look at the System properties, the keystore and trust store passwords > are in there. I'm not sure who puts them in there, but we need to find a way > to stop that -- or else prevent applications from reading them? -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
