ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (OFBIZ-9966) Secure the login.secret_key_string
Date Tue, 20 Feb 2018 12:10:00 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jacques Le Roux closed OFBIZ-9966.
----------------------------------
       Resolution: Won't Fix
    Fix Version/s: 16.11.05
                   17.12.01

Nobody answered to my last message on dev ML. So I think nobody else cares about this and
I can close as won't fix. I don't use not a problem, because for me it's not the best way
and I explained why as much as I could.

Reverted in

trunk r1824855  (completes r1814392)

R17.2 r1824856 (completes r1814392)

R16.11 r1824857

> Secure the login.secret_key_string
> ----------------------------------
>
>                 Key: OFBIZ-9966
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9966
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: 17.12.01, 16.11.05
>
>
> When OFBIZ-4983 was implemented I missed that we put the login.secret_key_string as a
property in security properties. This should not have been because it eases attackers work.
> The recommended way is to have it as a private static final String that can be changed
just when compiling using sed and uuidgen. So then the key is temporay and final and it gets
quite harder for a possible attacker to use this mean.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message