Username and password for the AS2 HSQLDB databases (config and runtime) are hardcoded in the Java source files.
This could impose a security risk, I think.
Anybody within our network and with knowledge of the JDBC address and this standard password could access and manipulate our config DB or runtime DB.
So I suggest to have an option to change the DB password and have it configurable in the AS2 server configuration files.
That way it would be necessary for an "attacker" to have access to the host of the AS2 installation.
At least some extra protection, isn't it ?