Geronimo
  1. Geronimo
  2. GERONIMO-4927

keystorePass attribute on TomcatWebSSLConnector GBean should be encrypted/obscured

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.5, 2.2
    • Fix Version/s: 2.1.5
    • Component/s: None
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      keystorePass does not conform to the current convention for encrypting/obscuring GBean attributes. Currently, attribute names with 'password' will be encrypted.

      We should either recognize keystorePass as an attribute requiring encryption or add a new keystorePassword attribute and start using that (with some appropriate migration logic, if a 'keystorePass' is configured). I guess I prefer the latter option. Other opinions?

      1. 4927.patch
        0.9 kB
        Ashish Jain

        Activity

        Hide
        Kevan Miller added a comment -

        Applied slightly modified patch. Thanks Ashish.

        keystorePass cannot be specified currently on 2.2 and 3.0. So, I've only applied to branches/2.1.

        Show
        Kevan Miller added a comment - Applied slightly modified patch. Thanks Ashish. keystorePass cannot be specified currently on 2.2 and 3.0. So, I've only applied to branches/2.1.
        Hide
        Ashish Jain added a comment -

        IMO the best way without introducing much complexity would be to have a line of code checking for keystorePass attribute. In this way we may not have to worry about migration issues. I have generated a patch. Please verify. Thanks.

        Show
        Ashish Jain added a comment - IMO the best way without introducing much complexity would be to have a line of code checking for keystorePass attribute. In this way we may not have to worry about migration issues. I have generated a patch. Please verify. Thanks.
        Hide
        Kevan Miller added a comment -

        Yes. That is what I meant by "add a new 'keystorePassword' attribute". Basic question is should it be renamed or still support keystorePass for migration purposes.

        Show
        Kevan Miller added a comment - Yes. That is what I meant by "add a new 'keystorePassword' attribute". Basic question is should it be renamed or still support keystorePass for migration purposes.
        Hide
        Ashish Jain added a comment -

        Can we not rename the existing attribute as keystorePassword? Or else
        add another line of code in org.apache.geronimo.system.configuration.GBeanOverride.writeXml to encrypt the keystorePass adding
        some logic for example indexof('pass") than do the encryption

        Show
        Ashish Jain added a comment - Can we not rename the existing attribute as keystorePassword? Or else add another line of code in org.apache.geronimo.system.configuration.GBeanOverride.writeXml to encrypt the keystorePass adding some logic for example indexof('pass") than do the encryption
        Hide
        David Jencks added a comment -

        tomcat ssl should be using one of out keystore gbeans so it doesn't need to know about the password at all. Not gonna happen for 2.2 anyway...

        Show
        David Jencks added a comment - tomcat ssl should be using one of out keystore gbeans so it doesn't need to know about the password at all. Not gonna happen for 2.2 anyway...
        Hide
        Kevan Miller added a comment -

        There is no TomcatWebSSLConnector GBean in 2.2. All the config info is in var/catalina/server.xml. So, mechanism for 2.1.x won't work on 2.2. Don't know of a way to accomplish this on 2.2, at the moment – unfortunate.

        Show
        Kevan Miller added a comment - There is no TomcatWebSSLConnector GBean in 2.2. All the config info is in var/catalina/server.xml. So, mechanism for 2.1.x won't work on 2.2. Don't know of a way to accomplish this on 2.2, at the moment – unfortunate.

          People

          • Assignee:
            Kevan Miller
            Reporter:
            Kevan Miller
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development