directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DIRSERVER-772) Credentials in server.xml is transformed to byte[] without using "UTF-8"
Date Sun, 05 Nov 2006 13:49:17 GMT
     [ http://issues.apache.org/jira/browse/DIRSERVER-772?page=all ]

Emmanuel Lecharny updated DIRSERVER-772:
----------------------------------------

        Summary: Credentials in server.xml is transformed to byte[] without using "UTF-8"
 (was: Credentials in server.xml is read as byte[], and is visible)
    Description: 
The credentials declared in the server.xml files are read as a byte array during the server
initialization. 
However, if we don't change that in the next version, we must fix the conversion from String
to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml
file's encoding. The piece of code that read the credential is :
...
        Object value = env.get( Context.SECURITY_CREDENTIALS );
        if ( value == null )
        {
            credential = null;
        }
        else if ( value instanceof String )
        {
            credential = ( ( String ) value ).getBytes();
        }

Here, we should have something like :
            credential = ( ( String ) value ).getBytes( "UTF-8" );


  was:
The credentials declared in the server.xml files are read as a byte array during the server
initialization. Worst, it is visible to the mere mortal who has access to this file.
At this point, I don't think that storing a password in a configuration file is a good idea.
There should be a phase in installation where the password must be asked to the administrator,
and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the conversion from String
to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml
file's encoding. The piece of code that read the credential is :
...
        Object value = env.get( Context.SECURITY_CREDENTIALS );
        if ( value == null )
        {
            credential = null;
        }
        else if ( value instanceof String )
        {
            credential = ( ( String ) value ).getBytes();
        }

Here, we should have something like :
            credential = ( ( String ) value ).getBytes( "UTF-8" );



Renamed the issue, and discared the problem of visibility, it deserves another issue

> Credentials in server.xml is transformed to byte[] without using "UTF-8"
> ------------------------------------------------------------------------
>
>                 Key: DIRSERVER-772
>                 URL: http://issues.apache.org/jira/browse/DIRSERVER-772
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Emmanuel Lecharny
>
> The credentials declared in the server.xml files are read as a byte array during the
server initialization. 
> However, if we don't change that in the next version, we must fix the conversion from
String to byte[], because the user's default encoding may be different from UTF-8, which is
the server.xml file's encoding. The piece of code that read the credential is :
> ...
>         Object value = env.get( Context.SECURITY_CREDENTIALS );
>         if ( value == null )
>         {
>             credential = null;
>         }
>         else if ( value instanceof String )
>         {
>             credential = ( ( String ) value ).getBytes();
>         }
> Here, we should have something like :
>             credential = ( ( String ) value ).getBytes( "UTF-8" );

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message