-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Glassfish logs JVM options (including passwords) on startup #5412
Comments
@dheles and I have been discussing this a bit at http://irclog.iq.harvard.edu/dataverse/2018-12-19#i_83268 a bit and I wanted to point out that printing the JVM options like this is the out of the box Glassfish behavior. In the example below, I installed Glassfish 4.1 fresh into
Over at https://javabot.evanchooly.com/logs/%23glassfish/2018-12-19 I asked if anyone knows if it's possible to suppress this output. |
A very helpful person in #glassfish mentioned "password aliases" which lead me to the following quote at https://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html
It's hard to find HTML versions of Glassfish docs these days but here are some docs for Glassfish 3: https://docs.oracle.com/cd/E19798-01/821-1751/ghgqc/index.html Payara has some HTML docs: https://docs.payara.fish/documentation/payara-server/password-aliases/ Anyway, from IRC sounds like @dheles is going to play around see what he can figure out what's possible without any code changes. |
Should I mention #5293 or not? An example for the password aliases usage can be found here: https://github.com/poikilotherm/dataverse/blob/5292-small-container/conf/docker/app/init_2_configure.sh Beware, this is using Payara 5. Your mileage may vary. |
@poikilotherm yes! I didn't know you are already playing with |
Pull request #5487 makes sense to me so I'm moving it to QA. @dheles I'm wondering if a doc update should be included though. Right now I sometimes rely on jumping on a test server and looking up the password for the database in domain.xml. What would I do in the future? The password is in some other file? By the way, I thought I'd try running the docker-aio tests on this branch but I can't. I'm blocked by #5374. We'd like it to be easy for developers to run the test suite. |
Just added a review on #5487 and I second the need of docs on aliases. |
I just added some docs in 820b1ee and I'm moving this to QA. If anyone doesn't like what I wrote, please speak up. Looking at you @dheles @poikilotherm @landreev 😄 |
Thanks for adding the docs and moving it along @pdurbin. |
@pdurbin I think the docs look good. The only change I might suggest would be linking to the glassfish reference manual: https://javaee.github.io/glassfish/doc/4.0/reference-manual.pdf |
@dheles sounds fine. Please feel free to add a commit for this. Thanks! |
@pdurbin so link to the reference manual instead of the payara docs, or in addition to? |
@dheles well, I do like the direct link to a specific HTML page so I guess I'm thinking "in addition to". If we only link to the PDF you have to say which page it's on. |
As appears to be its default behavior, Glassfish logs the JVM options to server.log on startup. Unfortunately, this includes doi and rserve passwords. I have been unable to find a way to avoid this.
Example log entry:
[2018-12-19T18:40:00.967+0000] [] [INFO] [NCLS-GFLAUNCHER-00005] [javax.enterprise.launcher] [tid: _ThreadID=1 _ThreadName=main] [timeMillis: 1545244800967] [levelValue: 800] [[ JVM invocation command line: ... -Ddataverse.rserve.password=[PASSWORD] -Ddoi.password=[PASSWORD]
glassfish code responsible:
https://github.com/eclipse-ee4j/glassfish/blob/glassfish-main-aggregator-5.1.0-RC1/nucleus/admin/launcher/src/main/java/com/sun/enterprise/admin/launcher/GFLauncherLogger.java#L159
The log level in question is only INFO, so I'd be happy to simply raise it to WARNING, but neither logging.properties nor asadmin list-log-levels seen to contain the relevant logger.
Alternately, moving the passwords to the database* would help.
The text was updated successfully, but these errors were encountered: