Username and password for the AS2 HSQLDB databases (config and runtime) are hardcoded in the Java source files.
This could impose a security risk, I think.
Anybody within our network and with knowledge of the JDBC address and this standard password could access and manipulate our config DB or runtime DB.
So I suggest to have an option to change the DB password and have it configurable in the AS2 server configuration files.
That way it would be necessary for an "attacker" to have access to the host of the AS2 installation.
At least some extra protection, isn't it ?
Everybody in the same network could simply start a client to access the data, there is no need to access the database. And making the database password configurable will break the automatic update process and installation transfer process.