Hi Colm, thanks for looking at the docs. Please note that documents built by buildbot are published at
https://ci.apache.org/projects/syncope/2_1_X/ when built from branch 2_1_X and at https://ci.apache.org/projects/syncope/master/ when built from master. The docs published at https://syncope.apache.org/docs/2.1/ are instead manually built from the latest tag, as part of the release process. At present, when a change to docs is pushed, buildbot can be triggered manually via IRC on the #syncope channel via syncope-bot: force build syncope-master-docs or syncope-bot: force build syncope-2_1_X-docs buildbot will run anyway once a day on all configured jobs. See my replies below. Regards. On 25/05/21 12:58, Colm O hEigeartaigh wrote:
Hi, There are a few things I noticed relating to the docs that could be clarified: 1. The docs (https://syncope.apache.org/docs/2.1/getting-started.html#moving-forward) state that the "secretKey" value is only needed if adminPasswordAlgorithm or password.cipher.algorithm is "AES", implying that it could be left blank if you are not using AES. However, I see CipherAlgorithm.AES in the source code in several places (e.g. ./core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/AccessTokenLogic.java), which implies that secretKey should always be required. Which is correct?
That's correct, docs need to be adjusted.
2. I think we need to give clearer guidance about how to change secretKey. How should a user generate a random 256 bit AES key, and then encode it for this parameter? (e.g. possibly using openssl -rand).
secretKey is a random string, whose value is bootstrapped during Maven project generation from archetype, and filtered by Maven into security.properties If the provided value is less than 16 characters length, it gets padded before usage at https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java#L151-L161
3. Both docs give minimal information on what "anonymousKey" is used for. What is it used for and how should a user generate a new value for it?
anonymousKey is a random string, whose value is bootstrapped during Maven project generation from archetype, and filtered by Maven into security.properties Together with anonynousUser (whose value is 'anonymous' by default), it is used for non security-sensitive REST calls, as an alternative to leaving some endpoints accessible without any authentication. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/