directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: Status...
Date Thu, 04 Apr 2013 19:20:34 GMT
On 03.04.2013 17:23, Pierre-Arnaud Marcelot wrote:
> Thanks Jeff.
> 
> I did look at that before working on it.
> But, as far as I remember it was requiring a more recent version of Eclipse (3.5 maybe,
I don't remember exactly) than what we currently support (3.3 I guess).
> So the API is not available.
> 
> The fact that you don't need to provide a password to read the data is interesting and
that's exactly why I chose to make this optional in Studio.
> I really think most of our users don't want to be asked a password when connecting to
a server.
> But for people dealing with very sensitive server connection, the passwords keystore
is a must have.

Hm, I wonder why we need to stick with the 3.3 API? I mean that version
is more then 5 years old. And the RCP application is already up-to-date
and used version 3.8.

> On 3 avr. 2013, at 17:10, Jeff MAURY <jeffmaury@jeffmaury.com> wrote:
> 
>> Please note that Eclipse provides such a functionality out of the box. The secure
storage is managed by Eclipse and you just need to save your sensitive configuration data
(password). There is no need to provide a password when reading the data (at least on Windows
at Eclipse has an integration with the Windows authentication layer).
>> I have used it in my Eclipse based product, and for security reasons, I choose to
make it non optional.
>>
>> Jeff
>>
>>
>> On Wed, Apr 3, 2013 at 10:43 AM, Pierre-Arnaud Marcelot <pa@marcelot.net> wrote:
>> In the past week, I've been working on a interesting and very important feature for
Apache Directory Studio: secure storage of connections passwords into a password-protected
keystore.
>>
>> At the moment, when you check the "Save password" checkbox in the properties of a
connection, that password gets saved in the connections file alongside other parameters like
host, port, etc.
>> The problem is that the password is saved in clear text in the file and that could
be an issue for some users.
>>
>> So, the idea is to have an option (disabled by default) in Apache Directory Studio
to save the passwords of the connections in a keystore protected by a "master password". This
password would be asked when accessing the password of a connection (opening a connection
for example).
>>
>> This is a very low-level addition in Studio's code and a very sensitive refactoring,
so I'm extra cautious here.
>>
>> I really think we can't release a 2.0 version of Studio without this kind of functionality.
It's really a must-have.

I agree that we need such a thing. I feel ashamed and careless that I
implemented the password saving without proper security back then :(

Kind Regards,
Stefan





Mime
View raw message