Re: ConnectionPoolMBean should not expose plain-text DB password
On Fri, Oct 05, 2012 at 05:11:57PM -0400, Christopher Schultz wrote: > On 10/5/12 1:51 PM, Te Li wrote: > > I am not familiar with JIoEndpoint discussed in > > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. > > > > The issue I'm facing is something different. Apparently, some > > effort was made to hide the DB password, but the DB password is > > still exposed via another getter (getDbProperties()). This seems to > > be a bug to me. > > > > DB passwords are highly sensitive information. JMX admins shouldn't > > see those either. It's not a reasonable assumption that it's okay > > for JMX admins to see exposed DB passwords (which should never be > > exposed in plaintext or encrypted form). Those who work in a > > company would probably concur with this point. > > I think most of us work at companies, and I happen to disagree with you. > > Tomcat passwords -- at least those in server.xml -- are in plain-text > form. All requests to obfuscate them have been denied because it is > simply not possible to properly secure them: the key always must be > available to the administrator in order to read the obfuscated > password and therefore any steps to "secure" the password are a charade. > > There is a wealth of knowledge available via JMX, and it should only > be exposed to administrators. Any JMX-enabled administrator will be > able to deploy an arbitrary webapp to go and fetch the data you are > trying to hide. You are wasting your time. Well, I agree with both of you. :-) The O.P. seems to want something like a military-style access control system, in which it is possible to set up a structure where *no one* has ultimate access; different roles have privileged access to different aspects of the operation. This is not an unreasonable desire. There are situations where it is advantageous (to the organization) to operate in such a way that there are things a single high-value captive cannot compromise. Compare this to everyday financial controls which require multiple signatures on a check or several individuals with different keys to open a safe. The highest authorities can order things done, but cannot do them. When wearing my sysadmin hat, I work hard to make sure that I do not have to know some of the secrets required to run our operation. OTOH I agree that Tomcat is not set up to give you a heterarchial access structure. Very few products are. I'm sure I never heard of most of them and suppose that few of you all have either. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpJKCQyXtpu7.pgp Description: PGP signature
Re: ConnectionPoolMBean should not expose plain-text DB password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Te, On 10/5/12 1:51 PM, Te Li wrote: > I am not familiar with JIoEndpoint discussed in > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. > > The issue I'm facing is something different. Apparently, some > effort was made to hide the DB password, but the DB password is > still exposed via another getter (getDbProperties()). This seems to > be a bug to me. > > DB passwords are highly sensitive information. JMX admins shouldn't > see those either. It's not a reasonable assumption that it's okay > for JMX admins to see exposed DB passwords (which should never be > exposed in plaintext or encrypted form). Those who work in a > company would probably concur with this point. I think most of us work at companies, and I happen to disagree with you. Tomcat passwords -- at least those in server.xml -- are in plain-text form. All requests to obfuscate them have been denied because it is simply not possible to properly secure them: the key always must be available to the administrator in order to read the obfuscated password and therefore any steps to "secure" the password are a charade. There is a wealth of knowledge available via JMX, and it should only be exposed to administrators. Any JMX-enabled administrator will be able to deploy an arbitrary webapp to go and fetch the data you are trying to hide. You are wasting your time. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBvTR0ACgkQ9CaO5/Lv0PC+PACgrXslv6H5QX1f8aMmMjN+0iJn hTAAnidDEXQWEk8HyPtWbTF36OVTQHoL =8RVk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ConnectionPoolMBean should not expose plain-text DB password
Hi Te, Yes, it would be very nice if the DB passwords don't get exposed via JMX. If we could have an additional role to get and set some of the sensitive MBeans, that would be really nice. More simply, if getDbProperties() can also simply return some dummy warning information, that will work. Thanks. -Shanti On Fri, Oct 5, 2012 at 1:51 PM, Te Li wrote: > I am not familiar with JIoEndpoint discussed in > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. > > The issue I'm facing is something different. Apparently, some effort was > made to hide the DB password, but the DB password is still exposed via > another getter (getDbProperties()). This seems to be a bug to me. > > DB passwords are highly sensitive information. JMX admins shouldn't see > those either. It's not a reasonable assumption that it's okay for JMX > admins to see exposed DB passwords (which should never be exposed in > plaintext or encrypted form). Those who work in a company would probably > concur with this point. > > Does that make sense to anyone? > > Thanks, > Te > > On 10/5/12 6:51 AM, "Shanti Suresh" wrote: > > >Hi Te, > > > >Will it be an option for you to create a JSP as was recently discussed in > >this list, to expose just the particular MBeans that you need? > > > >Thanks. > > -Shanti > > > >On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz < > >ch...@christopherschultz.net> wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA1 > >> > >> Te, > >> > >> On 10/4/12 1:56 PM, Te Li wrote: > >> > DB password is secret information and should not be exposed via > >> > JMX. The tomcat ConnectionPool class implements > >> > ConnectionPoolMBean interface. This interface exposes connection > >> > pool configuration and statistics. However, because this interface > >> > extends PoolConfiguration which has "getDbProperties()" method that > >> > exposes the "password" property in plain text. > >> > > >> > The getPassword() method in DataSourceProxy class (which > >> > implements PoolConfiguration interface) correctly does not return > >> > the password but just a dummy value "Password not available as > >> > DataSource/JMX operation." However, the password is still exposed > >> > via getDbProperties() method, which is an unexpected behavior. > >> > > >> > Due to the exposure of plain-text password, we cannot use the > >> > ConnectionPoolMBean class out of the box in our production > >> > environment and have to define our own MBean interface to expose > >> > the ConnectionPool bean. Please fix this. > >> > >> Sounds a lot like > >>https://issues.apache.org/bugzilla/show_bug.cgi?id=53139 > >> > >> Given the response to that enhancement request, I suspect yours will > >> get the same treatment were you to actually file it in Bugzilla. > >> > >> - -chris > >> -BEGIN PGP SIGNATURE- > >> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > >> Comment: GPGTools - http://gpgtools.org > >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > >> > >> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj > >> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI > >> =7BaH > >> -END PGP SIGNATURE- > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: ConnectionPoolMBean should not expose plain-text DB password
I am not familiar with JIoEndpoint discussed in https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. The issue I'm facing is something different. Apparently, some effort was made to hide the DB password, but the DB password is still exposed via another getter (getDbProperties()). This seems to be a bug to me. DB passwords are highly sensitive information. JMX admins shouldn't see those either. It's not a reasonable assumption that it's okay for JMX admins to see exposed DB passwords (which should never be exposed in plaintext or encrypted form). Those who work in a company would probably concur with this point. Does that make sense to anyone? Thanks, Te On 10/5/12 6:51 AM, "Shanti Suresh" wrote: >Hi Te, > >Will it be an option for you to create a JSP as was recently discussed in >this list, to expose just the particular MBeans that you need? > >Thanks. > -Shanti > >On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz < >ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Te, >> >> On 10/4/12 1:56 PM, Te Li wrote: >> > DB password is secret information and should not be exposed via >> > JMX. The tomcat ConnectionPool class implements >> > ConnectionPoolMBean interface. This interface exposes connection >> > pool configuration and statistics. However, because this interface >> > extends PoolConfiguration which has "getDbProperties()" method that >> > exposes the "password" property in plain text. >> > >> > The getPassword() method in DataSourceProxy class (which >> > implements PoolConfiguration interface) correctly does not return >> > the password but just a dummy value "Password not available as >> > DataSource/JMX operation." However, the password is still exposed >> > via getDbProperties() method, which is an unexpected behavior. >> > >> > Due to the exposure of plain-text password, we cannot use the >> > ConnectionPoolMBean class out of the box in our production >> > environment and have to define our own MBean interface to expose >> > the ConnectionPool bean. Please fix this. >> >> Sounds a lot like >>https://issues.apache.org/bugzilla/show_bug.cgi?id=53139 >> >> Given the response to that enhancement request, I suspect yours will >> get the same treatment were you to actually file it in Bugzilla. >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Version: GnuPG/MacGPG2 v2.0.17 (Darwin) >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ >> >> iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj >> NicAoLU+IbFY3T0dw5DML2M4sssOh4gI >> =7BaH >> -END PGP SIGNATURE- >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ConnectionPoolMBean should not expose plain-text DB password
Hi Te, Will it be an option for you to create a JSP as was recently discussed in this list, to expose just the particular MBeans that you need? Thanks. -Shanti On Thu, Oct 4, 2012 at 3:06 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Te, > > On 10/4/12 1:56 PM, Te Li wrote: > > DB password is secret information and should not be exposed via > > JMX. The tomcat ConnectionPool class implements > > ConnectionPoolMBean interface. This interface exposes connection > > pool configuration and statistics. However, because this interface > > extends PoolConfiguration which has "getDbProperties()" method that > > exposes the "password" property in plain text. > > > > The getPassword() method in DataSourceProxy class (which > > implements PoolConfiguration interface) correctly does not return > > the password but just a dummy value "Password not available as > > DataSource/JMX operation." However, the password is still exposed > > via getDbProperties() method, which is an unexpected behavior. > > > > Due to the exposure of plain-text password, we cannot use the > > ConnectionPoolMBean class out of the box in our production > > environment and have to define our own MBean interface to expose > > the ConnectionPool bean. Please fix this. > > Sounds a lot like https://issues.apache.org/bugzilla/show_bug.cgi?id=53139 > > Given the response to that enhancement request, I suspect yours will > get the same treatment were you to actually file it in Bugzilla. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ > > iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj > NicAoLU+IbFY3T0dw5DML2M4sssOh4gI > =7BaH > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: ConnectionPoolMBean should not expose plain-text DB password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Te, On 10/4/12 1:56 PM, Te Li wrote: > DB password is secret information and should not be exposed via > JMX. The tomcat ConnectionPool class implements > ConnectionPoolMBean interface. This interface exposes connection > pool configuration and statistics. However, because this interface > extends PoolConfiguration which has "getDbProperties()" method that > exposes the "password" property in plain text. > > The getPassword() method in DataSourceProxy class (which > implements PoolConfiguration interface) correctly does not return > the password but just a dummy value "Password not available as > DataSource/JMX operation." However, the password is still exposed > via getDbProperties() method, which is an unexpected behavior. > > Due to the exposure of plain-text password, we cannot use the > ConnectionPoolMBean class out of the box in our production > environment and have to define our own MBean interface to expose > the ConnectionPool bean. Please fix this. Sounds a lot like https://issues.apache.org/bugzilla/show_bug.cgi?id=53139 Given the response to that enhancement request, I suspect yours will get the same treatment were you to actually file it in Bugzilla. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBt3jwACgkQ9CaO5/Lv0PDCngCfRyI8rG0cYaEh0hn8WhrPa3zj NicAoLU+IbFY3T0dw5DML2M4sssOh4gI =7BaH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ConnectionPoolMBean should not expose plain-text DB password
Hello, DB password is secret information and should not be exposed via JMX. The tomcat ConnectionPool class implements ConnectionPoolMBean interface. This interface exposes connection pool configuration and statistics. However, because this interface extends PoolConfiguration which has "getDbProperties()" method that exposes the "password" property in plain text. The getPassword() method in DataSourceProxy class (which implements PoolConfiguration interface) correctly does not return the password but just a dummy value "Password not available as DataSource/JMX operation." However, the password is still exposed via getDbProperties() method, which is an unexpected behavior. Due to the exposure of plain-text password, we cannot use the ConnectionPoolMBean class out of the box in our production environment and have to define our own MBean interface to expose the ConnectionPool bean. Please fix this. Thanks, Te - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
