Bug 54599 - DataSource password is exposed to applications via toString method
DataSource password is exposed to applications via toString method
Status: RESOLVED FIXED
Product: Tomcat Modules
Classification: Unclassified
Component: jdbc-pool
unspecified
All All
: P2 minor (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-02-22 16:37 UTC by Daniel Mikusa
Modified: 2014-02-17 13:50 UTC (History)
1 user (show)



Attachments
Patch (827 bytes, patch)
2013-02-22 17:18 UTC, Daniel Mikusa
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Mikusa 2013-02-22 16:37:23 UTC
On the server side, create a DataSource using "org.apache.tomcat.jdbc.pool.DataSourceFactory".

Ex:

        <Resource auth="Container"
                  description=""
                  name="jdbc/testTomcatJdbc"
                  factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
                  type="javax.sql.DataSource"
                  username="sa"
                  password="super-secret"
                  driverClassName="org.h2.Driver"
                  url="jdbc:h2:mem:test"
                  minIdle="1"
                  initialSize="1" />

In a web application, create a JSP file, add the following:

<%@ page import="javax.naming.*" session="false" %>
<!DOCTYPE HTML>
<html>

<head>
    <title>Display Password!</title>
</head>
<body>
    <h1>toString for Tomcat JDBC</h1>
    <%
      dataSource = (javax.sql.DataSource) ctx.lookup("java:/comp/env/jdbc/testTomcatJdbc");
      out.println("<p>" + dataSource.toString() + "</p>");
    %>
</body>
</html>

Access the JSP in your browser.  The output from toString on the DataSource will display the password that was configured in the <Resource/> tag.

Example Output:

toString for Tomcat JDBC

org.apache.tomcat.jdbc.pool.DataSource@75cae120{ConnectionPool[defaultAutoCommit=null; defaultReadOnly=null; defaultTransactionIsolation=-1; defaultCatalog=null; driverClassName=org.h2.Driver; maxActive=100; maxIdle=100; minIdle=1; initialSize=1; maxWait=30000; testOnBorrow=false; testOnReturn=false; timeBetweenEvictionRunsMillis=5000; numTestsPerEvictionRun=0; minEvictableIdleTimeMillis=60000; testWhileIdle=false; testOnConnect=false; password=super-secret; url=jdbc:h2:mem:test; username=sa; validationQuery=null; validatorClassName=null; validationInterval=30000; accessToUnderlyingConnectionAllowed=true; removeAbandoned=false; removeAbandonedTimeout=60; logAbandoned=false; connectionProperties=null; initSQL=null; jdbcInterceptors=null; jmxEnabled=true; fairQueue=true; useEquals=true; abandonWhenPercentageFull=0; maxAge=0; useLock=false; dataSource=null; dataSourceJNDI=null; suspectTimeout=0; alternateUsernameAllowed=false; commitOnReturn=false; rollbackOnReturn=false; useDisposableConnectionFacade=true; logValidationErrors=false; propagateInterruptState=false; }
Comment 1 Daniel Mikusa 2013-02-22 17:18:49 UTC
Created attachment 29983 [details]
Patch

Attaching a simple patch to mask the password in toString.
Comment 2 Konstantin Kolinko 2013-03-22 09:24:21 UTC
Thank you for the patch.
Fixed by r1459683 and will be in 7.0.39.