Re: svn commit: r594117 [1/2] - in /geronimo/server/trunk: assemblies/geronimo-jetty6-javaee5/src/main/assembly/ assemblies/geronimo-jetty6-javaee5/src/main/resources/cluster-repository/ assemblies/geronimo-jetty6-javaee5/src/main/resources/master-re

Wed, 14 Nov 2007 12:43:40 -0800 

Hi Kevan,
Sorry for my late reply and thanks for raising this security issue. I believe that the encryption of password attributes is not enough in this case as password in this case is an XML JavaBean attribute; based on a cursory review of GBeanOverride, it seems that this case is not yet handled. 

I will fix this problem tonight or in the next couple of days.

Thanks,
Gianny

On 15/11/2007, at 6:54 AM, Kevan Miller wrote:




On Nov 13, 2007 4:40 PM, Kevan Miller <[EMAIL PROTECTED]> wrote:
Hi Gianny,

I notice that this scheme is storing "admin" username and password  
in clear text. It will also make the username/password accessible  
via JMX. I think we need to avoid this. Would prefer to see this  
information handled in a manner more consistent with our handling  
of sensitive information in var/security. Would you agree?



David Jencks reminded me that 'password' properties in config.xml  
will be encrypted.


--kevan


--kevan

On Nov 12, 2007, at 8:35 AM, [EMAIL PROTECTED] wrote:


Modified: geronimo/server/trunk/plugins/clustering/clustering/src/ 
main/plan/plan.xml
URL:  http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/ 
clustering/clustering/src/main/plan/plan.xml? 
rev=594117&r1=594116&r2=594117&view=diff
===================================================================== 
=========
--- geronimo/server/trunk/plugins/clustering/clustering/src/main/ 
plan/plan.xml (original)
+++ geronimo/server/trunk/plugins/clustering/clustering/src/main/ 
plan/plan.xml Mon Nov 12 05:35:48 2007

@@ -27,4 +27,78 @@
        </reference>
    </gbean>


+    <gbean name="MasterRepository"  
class="org.apache.geronimo.system.repository.Maven2Repository">

+        <attribute name="root">master-repository/</attribute>
+        <reference name="ServerInfo">
+            <name>ServerInfo</name>
+        </reference>
+    </gbean>
+

+    <gbean name="MasterConfigurationStore" class="  
org.apache.geronimo.clustering.deployment.MasterConfigurationStore">

+        <xml-attribute name="defaultEnvironment">

+            <environment xmlns=" http://geronimo.apache.org/xml/ 
ns/deployment-${geronimoSchemaVersion}">

+                <dependencies>
+                    <dependency>
+                        <groupId>${pom.groupId }</groupId>
+                        <artifactId>clustering</artifactId>
+                        <type>car</type>
+                    </dependency>
+                </dependencies>
+            </environment>
+        </xml-attribute>
+        <reference name="Repository">
+            <name>MasterRepository</name>
+        </reference>
+        <reference name="ClusterInfo">
+            <name>ClusterInfo</name>
+        </reference>
+        <reference name="ClusterConfigurationStoreClient">
+            <name>ClusterConfigurationStoreClient</name>
+        </reference>
+    </gbean>
+

+    <gbean name="ClusterConfigurationStoreClient"  
class="org.apache.geronimo.clustering.deployment.BasicClusterConfigur 
ationStoreClient ">
+        <attribute name="clusterConfigurationStoreNameQuery">? 
name=ClusterConfigurationStore</attribute>

+    </gbean>
+

+    <gbean name="ClusterRepository" class="  
org.apache.geronimo.system.repository.Maven2Repository">

+        <attribute name="root">cluster-repository/</attribute>
+        <reference name="ServerInfo">
+            <name>ServerInfo</name>
+        </reference>
+    </gbean>
+

+    <gbean name="ClusterStore"  
class="org.apache.geronimo.system.configuration.RepositoryConfigurati 
onStore">

+        <reference name="Repository">
+            <name>ClusterRepository</name>
+        </reference>
+    </gbean>
+

+    <gbean name="ClusterConfigurationStore"  
class="org.apache.geronimo.clustering.deployment.BasicClusterConfigur 
ationStore ">

+        <reference name="ConfigurationStore">
+            <name>ClusterStore</name>
+        </reference>
+    </gbean>
+
+    <!-- Static Cluster Configuration -->

+    <gbean name="ClusterInfo"  
class="org.apache.geronimo.clustering.config.BasicClusterInfo">

+        <attribute name="name">${PlanClusterName}</attribute>
+        <reference name="NodeInfos"></reference>
+    </gbean>
+

+    <gbean name="NodeInfo"  
class="org.apache.geronimo.clustering.config.BasicNodeInfo">

+          <attribute name="name">NodeName</attribute>
+          <xml-attribute name="extendedJMXConnectorInfo">

+              <ns:javabean xmlns:ns="http://geronimo.apache.org/ 
xml/ns/deployment/javabean-1.0 "  
class="org.apache.geronimo.clustering.config.BasicExtendedJMXConnecto 
rInfo">

+                  <ns:property name="username">system</ns:property>
+                  <ns:property name="password">manager</ns:property>
+                  <ns:property name="protocol">rmi</ns:property>
+                  <ns:property name="host">localhost</ns:property>
+                  <ns:property name="port">1099</ns:property>

+                  <ns:property name="urlPath">JMXConnector</ 
ns:property>

+                  <ns:property name="local">true</ns:property>
+              </ns:javabean>
+          </xml-attribute>
+      </gbean>
+
</module>



























					Reply via email to