Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DBCP-562] avoids exposing password via JMX #38

Closed
wants to merge 1 commit into from
Closed

[DBCP-562] avoids exposing password via JMX #38

wants to merge 1 commit into from

Conversation

fgdrf
Copy link

@fgdrf fgdrf commented Mar 4, 2020

for see details see https://issues.apache.org/jira/browse/DBCP-562

Signed-off-by: Frank Gasdorf fgdrf@users.sourceforge.net

@garydgregory
Copy link
Member

Well, since we cannot get rid of the method within a major release, we need to workaround that by perhaps making it return always null but only when publishing an implementation as a JMX object, which might mean creating a wrapper class that delegates all methods except getPassword().

@rhuddleston
Copy link

Any updates on the plans for this @fgdrf ? It shows up on snyk reports https://snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-559327 so would be nice if there was some fix. Thanks!

@fgdrf
Copy link
Author

fgdrf commented Apr 30, 2021

Well, since we cannot get rid of the method within a major release, we need to workaround that by perhaps making it return always null but only when publishing an implementation as a JMX object, which might mean creating a wrapper class that delegates all methods except getPassword().

How about creating a new interface, e.g. IDataSourcePassword is implemented by BasicDataSource and getPassword() method moves from BasicDataSourceMXBean to IDataSourcePassword .

Going to update this pull request with this approach ;)

@fgdrf fgdrf force-pushed the FIX_PASSWORD_EXPOSRT_VIA_JMX branch 6 times, most recently from f33518b to 831186b Compare April 30, 2021 09:03
@fgdrf
Copy link
Author

fgdrf commented Apr 30, 2021

build fails due to API incompatible change:

Error:  Failed to execute goal com.github.siom79.japicmp:japicmp-maven-plugin:0.15.3:cmp (default-cli) on project commons-dbcp2: There is at least one incompatibility: org.apache.commons.dbcp2.BasicDataSourceMXBean.getPassword():METHOD_REMOVED -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
Error: Process completed with exit code 1.

@fgdrf fgdrf force-pushed the FIX_PASSWORD_EXPOSRT_VIA_JMX branch 2 times, most recently from ffe1b32 to 2c9bac7 Compare May 3, 2021 12:14
@fgdrf
Copy link
Author

fgdrf commented May 3, 2021

here we go, finially found a solution by using StandardMBean.

@fgdrf fgdrf force-pushed the FIX_PASSWORD_EXPOSRT_VIA_JMX branch from 2c9bac7 to 0584883 Compare May 3, 2021 12:24
@fgdrf fgdrf requested a review from garydgregory May 3, 2021 12:37
@fgdrf
[DBCP-562] avoids exposing password via JMX
8f3a21e 
Signed-off-by: Frank Gasdorf <fgdrf@users.sourceforge.net>
@fgdrf fgdrf force-pushed the FIX_PASSWORD_EXPOSRT_VIA_JMX branch from 0584883 to 8f3a21e Compare May 5, 2021 09:56
@ManjunathMS35
Copy link

Hello, when could be the new release with this fix?

@garydgregory
Copy link
Member

garydgregory commented May 10, 2021 via email

asfgit pushed a commit that referenced this pull request May 31, 2021
[DBCP-562] Avoid exposing password via JMX #38.
e89deb3 
This commit is a cleanup version of the PR
https://patch-diff.githubusercontent.com/raw/apache/commons-dbcp/pull/38.diff

- Fix spelling in private method name: registrateJmxObjectName ->
registerJmxObjectName.
- Use @SInCE 2.9.0 <- 2.9
- Update some Javadocs with links.
- Order methods in new interface.
@garydgregory
Copy link
Member

Please see git master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garydgregory garydgregory Awaiting requested review from garydgregory

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fgdrf @garydgregory @rhuddleston @ManjunathMS35