[jboss-jira] [JBoss JIRA] (JGRP-188) JGroups should not use System properties, because it's too restrictive

Julien Kronegg (Commented) (JIRA) jira-events at lists.jboss.org
Tue Oct 11 03:44:16 EDT 2011 

    [ https://issues.jboss.org/browse/JGRP-188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12633716#comment-12633716 ] 

Julien Kronegg commented on JGRP-188:
-------------------------------------

I think this issue should be reopened because using configuration parameters set through System properties may lead to security issues. 

Imagine that encryption parameters store password and key password are set via System properties such as:
{code}
<ENCRYPT store_password="${systemPropertyStorePassword:changeit}" store_password="${systemPropertyKeyPassword:changeit}"/>
{code}
This may lead to security issues if the system properties may be read remotely. This occurs e.g. via MBeans:
- IBM's ITCAM OSInfo
- JBoss AS's System Properties Service (http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch10.html)

The information disclosure is limited since the passwords are only used to unlock the keystore (they could not be used to decrypt the data).

                
> JGroups should not use System properties, because it's too restrictive
> ----------------------------------------------------------------------
>
>                 Key: JGRP-188
>                 URL: https://issues.jboss.org/browse/JGRP-188
>             Project: JGroups
>          Issue Type: Feature Request
>    Affects Versions: 2.2.8, 2.2.9, 2.2.9.1
>         Environment: all
>            Reporter: Robert Stevenson
>            Assignee: Bela Ban
>            Priority: Minor
>             Fix For: 2.4
>
>   Original Estimate: 1 day
>  Remaining Estimate: 1 day
>
> JGroups should not use System properties for configuration, it should instead use a Global Configurator class (singleton), similar to log4j; which just contains a Properties object.  This would allow JGroups to be much easier to move around to different environments.  For example : (Applet), which does not have access to easily change System properties, on a per applet basis.
> This new class could have a mapping/conversion method to make the current -D command line options be put into this new Properties Configurator for backward compatibility

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list