geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dain Sundstrom <d...@iq80.com>
Subject Re: Constructing deployment plans from Configuration GBeanData
Date Sat, 19 Nov 2005 18:11:56 GMT
How about we do what apple does...  When connecting to a protected  
wifi node, it won't show you the password unless you ask it to.  This  
prevents shoulder surfing but if you know your location is safe, you  
can actually see what you typed.  Also the key chain manager built  
into the os allows you to see your stored passwords but you must  
provide your paster password first.

Anyway, we could pop up a dialog box reminding the user that the  
configuration file may contain sensitive information such as  
passwords and do they really want to show it on the screen?    
Alternatively, we could ask the user to re-authenticate themselves  
before showing any sensitive information, but I'm not sure how you do  
this in a web application.

-dain

On Nov 18, 2005, at 9:14 AM, Aaron Mulder wrote:

> On 11/18/05, Dain Sundstrom <dain@iq80.com> wrote:
>> Wait a sec.  We are worried about an administrator that has access to
>> the console from seeing a password embedded an a configuration file?
>> The admin can deploy applications, which could easily just scan for
>> passwords in memory or on disk.  Anyone with access to this console
>> is "root" for the geronimo instance.
>
> Yeah, that's why I waffle.  But for example, if you look at a database
> pool in the console, it uses a password field and doesn't show you the
> plain text.  It's not that you can't get around this (via, say, view
> source, if not writing your own code to inspect the GBeans), it's that
> I'm not sure I like flagrantly popping up stuff with passwords right
> there.  You know, shoulder-surfing, or whatever.
>
> Erin says some peolpe argue that no security is better than something
> weak that gives you a false sense of security, but I also think
> there's a place for defending against the casual observer.
>
> Forget about the console for a sec.  How many people will think to
> make their config store directory non-world-readable?  Sure you could
> write some code to deserialize the stuff in there today, but if anyone
> with an account on the box can just view a plain-text plan out of the
> config store with the passwords, that's really "no security".  (And
> since every connector has different config params it's not so easy to
> just mask out the password in every file we copy in there, though it
> would be a good start to do it for any config-param where
> name.toLowerCase().indexOf("password") > -1.)
>
> Aaron


Mime
View raw message