jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-2697) Add support for encrpted db password in repository.xml
Date Mon, 08 Aug 2011 16:04:27 GMT

    [ https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081020#comment-13081020

Jukka Zitting commented on JCR-2697:

As you say, proper encryption in this case is impossible without some out-of-band source of
the encryption key. And providing something like that is IMHO outside the scope of Jackrabbit.
Should a more secure setup like that be needed, my recommendation would be to configure the
database connection in JNDI with a container that supports such a setup and then just point
Jackrabbit to that data source.

The Base64 approach I added is pretty much equivalent to the approach used by JBoss, I just
use base64 instead of a more complicated encoding based on some hardcoded key. I actually
prefer this approach to the one used by JBoss, as it makes it obvious that the only benefit
over plain text passwords is security by obscurity.

Ideally I wouldn't even have implemented anything like this, but I keep hearing this complaint
too often from people who also agree that not allowing plain text passwords for something
like this is silly but enforced by some fixed policy they can't change.

> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Assignee: Jukka Zitting
>            Priority: Critical
>             Fix For: 2.3.0
> Basically this is same to the issue https://issues.apache.org/jira/browse/JCR-2673. I
can not reopen JCR-2673, so I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed to store
password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the requirement
is clear. 
> Thanks.

This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message