directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSERVER-772) Credentials in server.xml is read as byte[], and is visible
Date Sun, 05 Nov 2006 13:47:16 GMT
Credentials in server.xml is read as byte[], and is visible
-----------------------------------------------------------

                 Key: DIRSERVER-772
                 URL: http://issues.apache.org/jira/browse/DIRSERVER-772
             Project: Directory ApacheDS
          Issue Type: Bug
            Reporter: Emmanuel Lecharny


The credentials declared in the server.xml files are read as a byte array during the server
initialization. Worst, it is visible to the mere mortal who has access to this file.
At this point, I don't think that storing a password in a configuration file is a good idea.
There should be a phase in installation where the password must be asked to the administrator,
and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the conversion from String
to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml
file's encoding. The piece of code that read the credential is :
...
        Object value = env.get( Context.SECURITY_CREDENTIALS );
        if ( value == null )
        {
            credential = null;
        }
        else if ( value instanceof String )
        {
            credential = ( ( String ) value ).getBytes();
        }

Here, we should have something like :
            credential = ( ( String ) value ).getBytes( "UTF-8" );


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message