RFE Review : JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent
Harsha Wardhana B
harsha.wardhana.b at oracle.com
Thu Oct 12 08:16:12 UTC 2017
Hi Mandy,
On Wednesday 11 October 2017 11:48 PM, mandy chung wrote:
>
>
> On 10/8/17 10:34 PM, Harsha Wardhana B wrote:
>>
>> Hi Daniel,
>>
>> Below is the webrev addressing the review comments.
>>
>> http://cr.openjdk.java.net/~hb/5016517/webrev.04/
>>
>
> This approach seems reasonable. I only review management.properties
> and jmxremote.password.template file.
> 304 # ################# Hash passwords in password file ##############
> 305 # com.sun.management.jmxremote.password.hashpasswords = true|false
> 306 # Default for this property is true.
> 307 # Specifies if passswords in the above file should be hashed or
> not. typo: passswords s/above file/password file/ - it has been
> referred to as "password file" in many places.
Done.
> I'm thinking any better alternative to the new property name??
> com.sun.management.jmxremote.password.hashes
> com.sun.management.jmxremote.password.asHashes com.sun.management.jmxremote.passowrd.toHashes
> 49 #
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
> 50 # MD5, SHA-1 and SHA-256 are supported algorithms.
> 51 # This is an optional field. If not specified SHA-256 will be assumed.
> I would avoid the link to the documentation of a specific JDK release.
> Maybe say:
>
> Refer to "Java Security Standard Algorithm Names Specification"
> for supported algorithm.
Will modify the file appropriately.
>
>
> 53 # If passwords are in clear, they will be over-written by their
> hash if all of s/over-written/overwritten 67 # If multiple entries are
> found for the same role name, then the last one 68 # is used.
> If there are multiple entries of the same role, will all entries be
> overridden with hash value? It may be better to detect as an error
> when there are more than one entries of the same role?
It would be better to log a warning. Throwing an error would seem a bit
extreme.
> HashedPasswordFileTest.java
> @bug is missing
>
> Mandy
-Harsha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20171012/ef06902c/attachment.html>
More information about the serviceability-dev
mailing list