[Bug 53139] Prevent showing keystore/truststore passwords via JMX in cleartext (with solution)

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53139

Mark Thomas ma...@apache.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |WONTFIX

--- Comment #3 from Mark Thomas ma...@apache.org ---
As I stated before, JMX is an administration interface and as such has access
to all sorts of internal details. This particular internal detail is of use
when remotely administering instances via JMX.

Unfortunately, JMX does not support fine-grained access controls. You are
limited to users having read access or read/write access to everything (as an
aside, fine grained JMX access control could be an interesting project).

The Tomcat code is not going to be changed to remove this attribute. The
work-around you have adopted seems perfectly reasonable to me.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 53139] Prevent showing keystore/truststore passwords via JMX in cleartext (with solution)

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53139

--- Comment #2 from Randy randy.very.g...@gmail.com ---
But there are cases when developers also have access to JMX but aren't supposed
to see such security details.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53139] Prevent showing keystore/truststore passwords via JMX in cleartext (with solution)

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53139

--- Comment #1 from Mark Thomas ma...@apache.org ---
I not convinced that there is a security problem to solve here. JMX access is
equivalent to full admin access and admins would be able to read those values
in server.xml anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.