Credentials in server.xml is read as byte[], and is visible
-----------------------------------------------------------
Key: DIRSERVER-772
URL: http://issues.apache.org/jira/browse/DIRSERVER-772
Project: Directory ApacheDS
Issue Type: Bug
Reporter: Emmanuel Lecharny
The credentials declared in the server.xml files are read as a byte array
during the server initialization. Worst, it is visible to the mere mortal who
has access to this file.
At this point, I don't think that storing a password in a configuration file is
a good idea. There should be a phase in installation where the password must be
asked to the administrator, and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the
conversion from String to byte[], because the user's default encoding may be
different from UTF-8, which is the server.xml file's encoding. The piece of
code that read the credential is :
...
Object value = env.get( Context.SECURITY_CREDENTIALS );
if ( value == null )
{
credential = null;
}
else if ( value instanceof String )
{
credential = ( ( String ) value ).getBytes();
}
Here, we should have something like :
credential = ( ( String ) value ).getBytes( "UTF-8" );
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
