glassfish
  1. glassfish
  2. GLASSFISH-18122

SSH/DCOM connection credentials stored in clear text in domain.xml

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Works as designed
    • Affects Version/s: 3.1.2_dev
    • Fix Version/s: None
    • Component/s: admin
    • Labels:
      None
    • Environment:

      ogs-3.1.2-b16.zip

      Description

      Currently when we create an SSH or DCOM node, connection credentials are stored in domain.xml as follows:

      <node node-host="localhost" name="localhost-domain1" type="CONFIG" install-dir="$

      {com.sun.aas.productRoot}

      "></node>
      <node node-host="jed-asqe-43" name="jedy" windows-domain="jed-asqe-43" type="DCOM" install-dir="C:\as\dcomtest\glassfish3">
      <ssh-connector ssh-port="135">
      <ssh-auth user-name="usernameincleartext" password="passwordincleartext"></ssh-auth>
      </ssh-connector>
      </node>

      While on unix systems domain.xml is protected by file permissions, it is not so on windows. We should not be storing machine connection credentials in clear text.

        Activity

        Hide
        Tom Mueller added a comment -

        SSH and DCOM passwords in domain.xml can use the password alias mechanism to hide passwords.
        So this concern is already dealt with.

        Marking this as "works as designed".

        Show
        Tom Mueller added a comment - SSH and DCOM passwords in domain.xml can use the password alias mechanism to hide passwords. So this concern is already dealt with. Marking this as "works as designed".

          People

          • Assignee:
            Tom Mueller
            Reporter:
            lidiam
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: