[jira] [Created] (GERONIMO-5980) Improper encryption/obfuscation of passwords in configuration files

["Kevan Miller (JIRA)" <ji...@apache.org>]

Improper encryption/obfuscation of passwords in configuration files
-------------------------------------------------------------------

                 Key: GERONIMO-5980
                 URL: https://issues.apache.org/jira/browse/GERONIMO-5980
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
            Reporter: Kevan Miller


Several users have reported problems starting Geronimo. The cause seems to be improperly encrypted passwords. Plain text passwords will be encrypted/obfuscated in configuration files. A very good hypothesis posed by Michael Peterson is that the problem occurs if you try to start Geronimo with an improperly configured JAVA_HOMEStarting Geronimo without a JAVA_HOME configured may cause passwords to be improperly encrypted. They may end up encrypted as {Simple}null

>From an email:

{quote}
On May 25, 2011, at 9:56 PM, michael.peterson wrote:

Ok...I think I see what was happening. 

When I first installed and tried to run "geronimo.sh run" I didn't 
have JAVA_HOME set. it failed with a bunch of messages. Then I 
realized that problem and set JAVA_HOME...but it looks like that time 
the property files have already been rewritten and the install 
corrupted. I didn't realize it was happening at the time of 
course...but since the new install was working I tried to redo the 
step to get to that broken state. The only way I could achieve that 
was to remove the JAVA_HOME and try and run geronimo. 

Does that make sense to you? 
{quote}

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira