Hi, I've added mbeans-descriptors.xml to the package org.apache.tomcat.util.net (the same package where JIOEndpoint is) in the classpath with this (almost) empty content:
<mbeans-descriptors> </mbeans-descriptors> org.apache.tomcat.util.modeler.Registry looks in the current package down to the parents package, and if it finds a mbeans-descriptor.xml file, it uses the attributes found inside there. If no XML file is found, it then reverts to finding out the attributes via reflection. So that file is enough not to load any MBean for JIoEndpoint. Thanks On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Randy, > > On 4/6/12 7:41 AM, Randy Gray wrote: >> Hi, >> >> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've >> noticed that the keystore and truststore passwords are exposed via >> JMX in cleartext (in the bean JIoEndpoint). This was not the case >> in Tomcat 6, for example JIoEndpoint bean which was exposed had >> much fewer attributes. I have specified the passwords as attributes >> in the HTTPS connector tag in server.xml. >> >> Here an example with an otherwise unmodified Tomcat 7: >> http://postimage.org/image/400y2pqsr/ >> >> How can I prevent that data to be exposed (as cleartext), as well >> as the keystore and truststore path? > > I can think of a couple of options: > > 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml > and suppress access to these fields (though they aren't specifically > in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem > to consult the mbeans-descrioptors.xml files). I've never done this, > so I can't say whether or not it will work. > > 2. Use TLS for JMX connections. Technically speaking, this will not > transmit your credentials in "cleartext", though anyone who can > connect can read your credentials. See below. > > 3. Use client certificates and/or username/password authentication to > access your JMX connector. Anyone who can connect to those resources > will probably be able to connect to other things, so having your > trustStore password is probably the least of your worries. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R > DCIAoJPEG65KmenExYgGtVpgGG7J880c > =9y5M > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
