jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bart van der Schans (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-2697) Add support for encrpted db password in repository.xml
Date Mon, 08 Aug 2011 15:10:27 GMT

    [ https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080991#comment-13080991
] 

Bart van der Schans commented on JCR-2697:
------------------------------------------

Hi Jukka,

It could be that I'm missing something completely, but how is encoding the same as encryption?
It doesn't make sense to me to use base64 encoding for storing passwords as you can just decode
them. I don't think there's any (easy) way to decrypt an encrypted password and use it for
the db connection in a really secure way. Maybe you can try to obfuscate a pre-shared key
in the java code and use that to decrypt the encrypted password. That would at least make
it much harder to decipher the password but certainly not impossible.

Another option might be to just ask for the password on startup which is often the case with
ssl certificates in httpd, but it makes restarting much more a hassle. You can automate most
of that though, for example with scripts that remotely login over ssh, except when a server
comes up after a reboot.

Regards,
Bart

> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Assignee: Jukka Zitting
>            Priority: Critical
>             Fix For: 2.3.0
>
>
> Basically this is same to the issue https://issues.apache.org/jira/browse/JCR-2673. I
can not reopen JCR-2673, so I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed to store
password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the requirement
is clear. 
> Thanks.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message