jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard
verified publisher icon jetty

All start.d ini parameters become viewable; non obvious

Open kevinmcmurtrie opened this issue 1 month ago • 1 comments

Jetty version(s) Jetty 12

Enhancement Description Contents of ini files in start.d turn into process parameters. It's non-obvious that settings, possibly protected by file permissions, become part of the publicly viewable process arguments. This isn't great for anything that contains a password, like start.d/ssl.ini.

It looks like it happens here: https://github.com/jetty/jetty.project/blob/dde6ae18f93a2b82e900ceb8b79210f44948e79d/jetty-home/src/main/resources/bin/jetty.sh#L571

The best solution would be for the file contents to remain hidden. At the least, ssl.ini and similar should locally document that all values become public.

kevinmcmurtrie avatar Nov 10 '25 07:11 kevinmcmurtrie

This is what jetty.sh does now, but you can write your own script and use the JVM arguments file feature as documented here: https://jetty.org/docs/jetty/12.1/operations-guide/start/index.html#configure-dry-run

Search for "JVM arguments file feature" in that page.

However, it is an interesting idea, and we may offer it as an option, and maybe default it in the future.

For reference, the java @argFile syntax was introduced in Java 9, see also https://bugs.openjdk.org/browse/JDK-8027634.

sbordet avatar Dec 03 '25 19:12 sbordet