This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Insecure storage of server admin passwords | ||
---|---|---|---|
Product: | serverplugins | Reporter: | Jesse Glick <jglick> |
Component: | Infrastructure | Assignee: | Petr Hejl <phejl> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | anebuzelsky, jskrivanek, mmirilovic, pjiricka |
Priority: | P2 | ||
Version: | 6.x | ||
Hardware: | All | ||
OS: | All | ||
Issue Type: | DEFECT | Exception Reporter: | |
Bug Depends on: | 173413 | ||
Bug Blocks: |
Description
Jesse Glick
2009-12-04 12:52:29 UTC
it is mine now I will help finish the propagation of the Keyring api into the j2ee.sun.* modules for 6.9... I categorized all such issues as DEFECTs since the current state may permit user passwords to be compromised. Looks reasonable from what I can understand. Minor comments: - key description need not start with ' ' - GlassfishModule.PASSWORD_CONVERTED_FLAG is odd; generally you would simply delete the password from old storage after conversion. But perhaps there is some reason for doing it this way that is specific to server config files. Integrated into 'main-golden', will be available in build *201002180200* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/3a6c4e72612e User: vince kraemer <vkraemer@netbeans.org> Log: #178165: use the keyring for the admin passwords We have to do this for other servers as well. This is really a P2 *defect*, needs to be fixed for 7.0.1. Fixed in web-main ea5a6231a5d8 and 519d03495203. Integrated into 'main-golden', will be available in build *201104090401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/ea5a6231a5d8 User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords Avoid EDT usage: web-main fead1e05a030. Integrated into 'main-golden', will be available in build *201104120401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/fead1e05a030 User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords Integrated into 'main-golden', will be available in build *201104130401* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/3a5d840491bd User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords - deadlock fix Integrated into 'main-golden', will be available in build *201104210000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/cb99fb87b64f User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords - deadlock fix For Tomcat server the password is still stored in <userdir>/tomcat.properties for headless deployment. Please, do not store the password and rather modify ant-deploy.xml script to print warning that user has to provide password himself to be able to deploy from command line (Jesse already pointed this out in the last paragraph of the original description). Affected source file: tomcat5\src\org\netbeans\modules\tomcat5\AntDeploymentProviderImpl.java Moreover headless deployment is not working and needs to be fixed (see bug 198271). Fixed in web-main 187973203f7b. Integrated into 'main-golden', will be available in build *201105050000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/187973203f7b User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords Verified in trunk build 201105050000. Please, merge to 70 patch 1 branch. (In reply to comment #18) > Verified in trunk build 201105050000. Please, merge to 70 patch 1 branch. That would mean merging all previous patches and deadlock fixes. That seems too risky to me. Do we really want to do that for patch 1? Integrated into 'main-golden', will be available in build *201105070000* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main/rev/4406cc376cdb User: phejl@netbeans.org Log: #178165 Insecure storage of server admin passwords |