[ http://issues.apache.org/jira/browse/DIRSERVER-772?page=all ] Emmanuel Lecharny updated DIRSERVER-772: ---------------------------------------- Summary: Credentials in server.xml is transformed to byte[] without using "UTF-8" (was: Credentials in server.xml is read as byte[], and is visible) Description: The credentials declared in the server.xml files are read as a byte array during the server initialization. However, if we don't change that in the next version, we must fix the conversion from String to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml file's encoding. The piece of code that read the credential is : ... Object value = env.get( Context.SECURITY_CREDENTIALS ); if ( value == null ) { credential = null; } else if ( value instanceof String ) { credential = ( ( String ) value ).getBytes(); } Here, we should have something like : credential = ( ( String ) value ).getBytes( "UTF-8" ); was: The credentials declared in the server.xml files are read as a byte array during the server initialization. Worst, it is visible to the mere mortal who has access to this file. At this point, I don't think that storing a password in a configuration file is a good idea. There should be a phase in installation where the password must be asked to the administrator, and stored in the base, crypted, of course ! However, if we don't change that in the next version, we must fix the conversion from String to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml file's encoding. The piece of code that read the credential is : ... Object value = env.get( Context.SECURITY_CREDENTIALS ); if ( value == null ) { credential = null; } else if ( value instanceof String ) { credential = ( ( String ) value ).getBytes(); } Here, we should have something like : credential = ( ( String ) value ).getBytes( "UTF-8" ); Renamed the issue, and discared the problem of visibility, it deserves another issue > Credentials in server.xml is transformed to byte[] without using "UTF-8" > ------------------------------------------------------------------------ > > Key: DIRSERVER-772 > URL: http://issues.apache.org/jira/browse/DIRSERVER-772 > Project: Directory ApacheDS > Issue Type: Bug > Reporter: Emmanuel Lecharny > > The credentials declared in the server.xml files are read as a byte array during the server initialization. > However, if we don't change that in the next version, we must fix the conversion from String to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml file's encoding. The piece of code that read the credential is : > ... > Object value = env.get( Context.SECURITY_CREDENTIALS ); > if ( value == null ) > { > credential = null; > } > else if ( value instanceof String ) > { > credential = ( ( String ) value ).getBytes(); > } > Here, we should have something like : > credential = ( ( String ) value ).getBytes( "UTF-8" ); -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira