Actually, a <mbean> entry with the correct type attribute was needed:
<mbeans-descriptors>
<mbean name="ThreadPool"
description="JIoEndpoint"
domain="Catalina"
group="Connector"
type="org.apache.tomcat.util.net.JIoEndpoint">
</mbean>
</mbeans-descriptors>
On Thu, Apr 12, 2012 at 2:58 PM, Randy Gray <randy.very.g...@gmail.com> wrote:
> Hi,
>
> I've added mbeans-descriptors.xml to the package
> org.apache.tomcat.util.net (the same package where JIOEndpoint is) in
> the classpath with this (almost) empty content:
>
> <mbeans-descriptors>
> </mbeans-descriptors>
>
> org.apache.tomcat.util.modeler.Registry looks in the current package
> down to the parents package, and if it finds a mbeans-descriptor.xml
> file, it uses the attributes found inside there. If no XML file is
> found, it then reverts to finding out the attributes via reflection.
>
> So that file is enough not to load any MBean for JIoEndpoint.
>
> Thanks
>
>
> On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Randy,
>>
>> On 4/6/12 7:41 AM, Randy Gray wrote:
>>> Hi,
>>>
>>> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
>>> noticed that the keystore and truststore passwords are exposed via
>>> JMX in cleartext (in the bean JIoEndpoint). This was not the case
>>> in Tomcat 6, for example JIoEndpoint bean which was exposed had
>>> much fewer attributes. I have specified the passwords as attributes
>>> in the HTTPS connector tag in server.xml.
>>>
>>> Here an example with an otherwise unmodified Tomcat 7:
>>> http://postimage.org/image/400y2pqsr/
>>>
>>> How can I prevent that data to be exposed (as cleartext), as well
>>> as the keystore and truststore path?
>>
>> I can think of a couple of options:
>>
>> 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
>> and suppress access to these fields (though they aren't specifically
>> in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
>> to consult the mbeans-descrioptors.xml files). I've never done this,
>> so I can't say whether or not it will work.
>>
>> 2. Use TLS for JMX connections. Technically speaking, this will not
>> transmit your credentials in "cleartext", though anyone who can
>> connect can read your credentials. See below.
>>
>> 3. Use client certificates and/or username/password authentication to
>> access your JMX connector. Anyone who can connect to those resources
>> will probably be able to connect to other things, so having your
>> trustStore password is probably the least of your worries.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
>> DCIAoJPEG65KmenExYgGtVpgGG7J880c
>> =9y5M
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
