jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jervis Liu (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2697) Add support for encrpted db password in repository.xml
Date Wed, 04 Aug 2010 07:54:16 GMT

    [ https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895175#action_12895175

Jervis Liu commented on JCR-2697:

I am not an expert in security, so I did a bit research and found following:

1. Encrypt password using MD5 or SHA-1 etc, then configure the underlying database to let
it know the password passed in is encrypted. Similiar to this post tried to achieve:

The problem for this approach is that the database configuration part can be very db specific
or even version specific. If this is true, it will be very hard for us to maintain.

2. Most application servers have a way to store database password as encrypted other than
in plain text. For example, this is how it is done in JBOSS AS: 

I wonder if it is possible to do similar things in JackRabbit, eg, we delegate the db authentication
part in repository.xml to another JAAS module (in the example above, the SecureIdentityLoginModule).
But please do not ask me how SecureIdentityLoginModule is implemented, I have not figured
this out yet. 

Please comment. 

> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Priority: Critical
> Basically this is same to the issue https://issues.apache.org/jira/browse/JCR-2673. I
can not reopen JCR-2673, so I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed to store
password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the requirement
is clear. 
> Thanks.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message