You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/04/24 16:04:40 UTC
DO NOT REPLY [Bug 53139] New: Prevent showing keystore/truststore
passwords via JMX in cleartext (with solution)
https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
Bug #: 53139
Summary: Prevent showing keystore/truststore passwords via JMX
in cleartext (with solution)
Product: Tomcat 7
Version: 7.0.27
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: randy.very.gray@gmail.com
Classification: Unclassified
Created attachment 28667
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28667
JConsole view of a freshly installed Tomcat 7, with SSL enabled in server.xml
Issue:
I've noticed that Tomcat 7.0.27 exposes the keystore and truststore passwords
via JMX in cleartext (in the bean JIoEndpoint).
This was not the case in Tomcat 6, for example the JIoEndpoint bean which
was exposed had much fewer attributes.
I have specified the passwords as attributes in the HTTPS connector
tag in server.xml.
Solution:
My quick solution was to add mbeans-descriptors.xml to the package
org.apache.tomcat.util.net (where JIOEndpoint lies) with this content:
<mbeans-descriptors>
<mbean name="ThreadPool"
description="JIoEndpoint"
domain="Catalina"
group="Connector"
type="org.apache.tomcat.util.net.JIoEndpoint">
</mbean>
</mbeans-descriptors>
With this, no attributes from JIoEndpoint are exposed anymore.
A better solution would be to add a more meaningful mbeans-descriptors.xml,
only filtering out critical keystore/truststore information.
Also see here:
http://www.mail-archive.com/users@tomcat.apache.org/msg98216.html
Thanks
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 53139] Prevent showing keystore/truststore passwords via JMX in
cleartext (with solution)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
--- Comment #2 from Randy <ra...@gmail.com> ---
But there are cases when developers also have access to JMX but aren't supposed
to see such security details.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53139] Prevent showing keystore/truststore passwords via JMX in
cleartext (with solution)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I not convinced that there is a security problem to solve here. JMX access is
equivalent to full admin access and admins would be able to read those values
in server.xml anyway.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53139] Prevent showing keystore/truststore passwords via JMX in
cleartext (with solution)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53139
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
As I stated before, JMX is an administration interface and as such has access
to all sorts of internal details. This particular internal detail is of use
when remotely administering instances via JMX.
Unfortunately, JMX does not support fine-grained access controls. You are
limited to users having read access or read/write access to everything (as an
aside, fine grained JMX access control could be an interesting project).
The Tomcat code is not going to be changed to remove this attribute. The
work-around you have adopted seems perfectly reasonable to me.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org