[GitHub] [activemq-artemis] ryan-highley commented on a diff in pull request #4135: ARTEMIS-3794 System Property Encryption Support

Thu, 07 Jul 2022 17:48:05 -0700 


ryan-highley commented on code in PR #4135:
URL: https://github.com/apache/activemq-artemis/pull/4135#discussion_r916375410


##########
artemis-core-client/src/main/java/org/apache/activemq/artemis/core/remoting/impl/netty/NettyConnector.java:
##########
@@ -584,15 +585,15 @@ public synchronized void start() {
             realTrustStorePassword = trustStorePassword;
          } else {
             realKeyStorePath = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PATH_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PATH_PROP_NAME), keyStorePath).map(v -> 
useDefaultSslContext ? keyStorePath : 
v).filter(Objects::nonNull).findFirst().orElse(null);
-            realKeyStorePassword = 
Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME), 
System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null);
+            realKeyStorePassword = 
processSslPasswordProperty(Stream.of(System.getProperty(ACTIVEMQ_KEYSTORE_PASSWORD_PROP_NAME),
 System.getProperty(JAVAX_KEYSTORE_PASSWORD_PROP_NAME), keyStorePassword).map(v 
-> useDefaultSslContext ? keyStorePassword : 
v).filter(Objects::nonNull).findFirst().orElse(null));

Review Comment:
   That's an interesting thought. I based these updates on the approach 
handling keyStorePassword and trustStorePassword also applying adequately for 
their corresponding system property values.
   
   I'm all for providing essential flexibility, but I've also never had to 
provide an alternate password encoding codec to appease PEN testing or 
production environment security scans. I'm happy to address that if you see the 
need for that additional configuration and associated incremental complexity.
   
   Perhaps we can see if anyone files an enhancement request for specifying an 
alternate mask mode and/or password codec with system properties?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to