[jira] [Commented] (DELTASPIKE-382) mask out passwords and other credentials

Fri, 14 Jun 2013 11:26:49 -0700 

    [ 
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683633#comment-13683633
 ] 

Mark Struberg commented on DELTASPIKE-382:
------------------------------------------

Gerhard, SOME don't care but others DO!

Also your argument is really not well funded. There is only 1 solution to be 
completely safe: to let the OS take care about security ans use a trusted key 
infrastructure. But once someone can inject/run foreign code on your server, 
then ALL bets are off. 

Sometimes you do need to keep a password around for your application to log in 
into another system. And regardless whether you do use a synchronous encryption 
or not - there is always a way to reconstruct this password. Storing it into 
JNDI should be sufficiently safe for most users. If it's not enough for them 
then they shall not use it, but for most people I've talked it it's really 
sufficient. The only important thing is that this configuration must never 
leave the server. And this is not guaranteed if we log it natively.
                
> mask out passwords and other credentials
> ----------------------------------------
>
>                 Key: DELTASPIKE-382
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
>             Project: DeltaSpike
>          Issue Type: New Feature
>          Components: Configuration
>    Affects Versions: 0.4
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>             Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs 
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and 
> where we did find some value, but not print the details for all configs which 
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to