[jboss-jira] [JBoss JIRA] (WFLY-8162) JDR Subsystem destroys password related system properties
Brian Stansberry (JIRA)
issues at jboss.org
Fri Feb 17 11:36:01 EST 2017
Brian Stansberry created WFLY-8162:
--------------------------------------
Summary: JDR Subsystem destroys password related system properties
Key: WFLY-8162
URL: https://issues.jboss.org/browse/WFLY-8162
Project: WildFly
Issue Type: Bug
Components: JDR
Affects Versions: 10.0.0.Final, 10.1.0.Final
Reporter: John Mazzitelli
Assignee: Brian Stansberry
Priority: Critical
When you export a JDR, it provides a report of system properties, but to avoid leaking passwords, it redacts any system property with the string <Redacted> - see here:
https://github.com/wildfly/wildfly/blob/master/jdr/jboss-as-jdr/src/main/java/org/jboss/as/jdr/commands/SystemProperties.java#L51-L53
One major problem is it never flips the system properties back to their original values! So once a JDR report is created, no code in the JVM can ever be able to use those password system properties again - because the password is now changed to the string "<Redacted>".
To fix, once that "system-properties.txt" file is created, you have to System.setProperty() those password properties back to their original values.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list