On Fri, Oct 05, 2012 at 05:11:57PM -0400, Christopher Schultz wrote: > On 10/5/12 1:51 PM, Te Li wrote: > > I am not familiar with JIoEndpoint discussed in > > https://issues.apache.org/bugzilla/show_bug.cgi?id=53139. > > > > The issue I'm facing is something different. Apparently, some > > effort was made to hide the DB password, but the DB password is > > still exposed via another getter (getDbProperties()). This seems to > > be a bug to me. > > > > DB passwords are highly sensitive information. JMX admins shouldn't > > see those either. It's not a reasonable assumption that it's okay > > for JMX admins to see exposed DB passwords (which should never be > > exposed in plaintext or encrypted form). Those who work in a > > company would probably concur with this point. > > I think most of us work at companies, and I happen to disagree with you. > > Tomcat passwords -- at least those in server.xml -- are in plain-text > form. All requests to obfuscate them have been denied because it is > simply not possible to properly secure them: the key always must be > available to the administrator in order to read the obfuscated > password and therefore any steps to "secure" the password are a charade. > > There is a wealth of knowledge available via JMX, and it should only > be exposed to administrators. Any JMX-enabled administrator will be > able to deploy an arbitrary webapp to go and fetch the data you are > trying to hide. You are wasting your time.
Well, I agree with both of you. :-) The O.P. seems to want something like a military-style access control system, in which it is possible to set up a structure where *no one* has ultimate access; different roles have privileged access to different aspects of the operation. This is not an unreasonable desire. There are situations where it is advantageous (to the organization) to operate in such a way that there are things a single high-value captive cannot compromise. Compare this to everyday financial controls which require multiple signatures on a check or several individuals with different keys to open a safe. The highest authorities can order things done, but cannot do them. When wearing my sysadmin hat, I work hard to make sure that I do not have to know some of the secrets required to run our operation. OTOH I agree that Tomcat is not set up to give you a heterarchial access structure. Very few products are. I'm sure I never heard of most of them and suppose that few of you all have either. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart.
pgpJKCQyXtpu7.pgp
Description: PGP signature