Hi Mandy,
On Wednesday 11 October 2017 11:48 PM, mandy chung wrote:
On 10/8/17 10:34 PM, Harsha Wardhana B wrote:
Hi Daniel,
Below is the webrev addressing the review comments.
http://cr.openjdk.java.net/~hb/5016517/webrev.04/
This approach seems reasonable. I only review management.properties
and jmxremote.password.template file.
304 # ################# Hash passwords in password file ##############
305 # com.sun.management.jmxremote.password.hashpasswords = true|false
306 # Default for this property is true.
307 # Specifies if passswords in the above file should be hashed or
not. typo: passswords s/above file/password file/ - it has been
referred to as "password file" in many places.
Done.
I'm thinking any better alternative to the new property name??
com.sun.management.jmxremote.password.hashes
com.sun.management.jmxremote.password.asHashes com.sun.management.jmxremote.passowrd.toHashes
49 #
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
50 # MD5, SHA-1 and SHA-256 are supported algorithms.
51 # This is an optional field. If not specified SHA-256 will be assumed.
I would avoid the link to the documentation of a specific JDK release.
Maybe say:
Refer to "Java Security Standard Algorithm Names Specification"
for supported algorithm.
Will modify the file appropriately.
53 # If passwords are in clear, they will be over-written by their
hash if all of s/over-written/overwritten 67 # If multiple entries are
found for the same role name, then the last one 68 # is used.
If there are multiple entries of the same role, will all entries be
overridden with hash value? It may be better to detect as an error
when there are more than one entries of the same role?
It would be better to log a warning. Throwing an error would seem a bit
extreme.
HashedPasswordFileTest.java
@bug is missing
Mandy
-Harsha
