[jira] Created: (GERONIMO-4927) keystorePass attribute on TomcatWebSSLConnector GBean should be encrypted/obscured

keystorePass attribute on TomcatWebSSLConnector GBean should be encrypted/obscured
----------------------------------------------------------------------------------

                 Key: GERONIMO-4927
                 URL: https://issues.apache.org/jira/browse/GERONIMO-4927
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
    Affects Versions: 2.2, 3.0
            Reporter: Kevan Miller
             Fix For: 2.1.5, 2.2, 3.0


keystorePass does not conform to the current convention for encrypting/obscuring GBean attributes. Currently, attribute names with 'password' will be encrypted.

We should either recognize keystorePass as an attribute requiring encryption or add a new keystorePassword attribute and start using that (with some appropriate migration logic, if a 'keystorePass' is configured). I guess I prefer the latter option. Other opinions?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12770373#action_12770373 ]

Kevan Miller commented on GERONIMO-4927:
----------------------------------------

There is no TomcatWebSSLConnector GBean in 2.2. All the config info is in var/catalina/server.xml. So, mechanism for 2.1.x won't work on 2.2. Don't know of a way to accomplish this on 2.2, at the moment -- unfortunate.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevan Miller updated GERONIMO-4927:
-----------------------------------

    Affects Version/s:     (was: 3.0)
                           (was: 2.2)
                       2.2.1

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks updated GERONIMO-4927:
-----------------------------------

    Affects Version/s:     (was: 2.2.1)
                       2.2
                       2.1.5
        Fix Version/s:     (was: 2.2)
                       2.2.1

tomcat ssl should be using one of out keystore gbeans so it doesn't need to know about the password at all.  Not gonna happen for 2.2 anyway...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773017#action_12773017 ]

Ashish Jain commented on GERONIMO-4927:
---------------------------------------

Can we not rename the existing attribute as keystorePassword? Or else
add another line of code in org.apache.geronimo.system.configuration.GBeanOverride.writeXml  to encrypt the keystorePass adding
some logic for example indexof('pass") than do the encryption

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773038#action_12773038 ]

Kevan Miller commented on GERONIMO-4927:
----------------------------------------

Yes. That is what I meant by "add a new 'keystorePassword' attribute". Basic question is should it be *renamed* or still support keystorePass for migration purposes.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773508#action_12773508 ]

Ashish Jain commented on GERONIMO-4927:
---------------------------------------

IMO the best way without introducing much complexity would be to have a line of code checking for keystorePass attribute. In this way we may not have to worry about migration issues. I have generated a patch. Please verify. Thanks.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ashish Jain updated GERONIMO-4927:
----------------------------------

    Attachment: 4927.patch

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevan Miller closed GERONIMO-4927.
----------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.2.1)
                       (was: 3.0)

Applied slightly modified patch. Thanks Ashish.

keystorePass cannot be specified currently on 2.2 and 3.0. So, I've only applied to branches/2.1.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/GERONIMO-4927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevan Miller reassigned GERONIMO-4927:
--------------------------------------

    Assignee: Kevan Miller

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.