RFE Review : JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent

[mandy chung]

On 10/8/17 10:34 PM, Harsha Wardhana B wrote:
>
> Hi Daniel,
>
> Below is the webrev addressing the review comments.
>
> http://cr.openjdk.java.net/~hb/5016517/webrev.04/
>

This approach seems reasonable.   I only review management.properties 
and jmxremote.password.template file.

304 # ################# Hash passwords in password file ##############
305 # com.sun.management.jmxremote.password.hashpasswords = true|false
306 # Default for this property is true.
307 # Specifies if passswords in the above file should be hashed or not. 
typo: passswords s/above file/password file/ - it has been referred to 
as "password file" in many places. I'm thinking any better alternative 
to the new property name?? com.sun.management.jmxremote.password.hashes 
com.sun.management.jmxremote.password.asHashes     com.sun.management.jmxremote.passowrd.toHashes
49 # 
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
50 # MD5, SHA-1 and SHA-256 are supported algorithms.
51 # This is an optional field. If not specified SHA-256 will be assumed.
I would avoid the link to the documentation of a specific JDK release.
Maybe say:

Refer to "Java Security Standard Algorithm Names Specification"
for supported algorithm.


53 # If passwords are in clear, they will be over-written by their hash 
if all of s/over-written/overwritten 67 # If multiple entries are found 
for the same role name, then the last one 68 # is used.

If there are multiple entries of the same role, will all entries be 
overridden with hash value? It may be better to detect as an error when 
there are more than one entries of the same role?

HashedPasswordFileTest.java
@bug is missing

Mandy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20171011/e1b4d299/attachment-0001.html>