[ http://issues.apache.org/jira/browse/DIRSERVER-772?page=all ]
Emmanuel Lecharny updated DIRSERVER-772:
----------------------------------------
Summary: Credentials in server.xml is transformed to byte[] without
using "UTF-8" (was: Credentials in server.xml is read as byte[], and is
visible)
Description:
The credentials declared in the server.xml files are read as a byte array
during the server initialization.
However, if we don't change that in the next version, we must fix the
conversion from String to byte[], because the user's default encoding may be
different from UTF-8, which is the server.xml file's encoding. The piece of
code that read the credential is :
...
Object value = env.get( Context.SECURITY_CREDENTIALS );
if ( value == null )
{
credential = null;
}
else if ( value instanceof String )
{
credential = ( ( String ) value ).getBytes();
}
Here, we should have something like :
credential = ( ( String ) value ).getBytes( "UTF-8" );
was:
The credentials declared in the server.xml files are read as a byte array
during the server initialization. Worst, it is visible to the mere mortal who
has access to this file.
At this point, I don't think that storing a password in a configuration file is
a good idea. There should be a phase in installation where the password must be
asked to the administrator, and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the
conversion from String to byte[], because the user's default encoding may be
different from UTF-8, which is the server.xml file's encoding. The piece of
code that read the credential is :
...
Object value = env.get( Context.SECURITY_CREDENTIALS );
if ( value == null )
{
credential = null;
}
else if ( value instanceof String )
{
credential = ( ( String ) value ).getBytes();
}
Here, we should have something like :
credential = ( ( String ) value ).getBytes( "UTF-8" );
Renamed the issue, and discared the problem of visibility, it deserves another
issue
> Credentials in server.xml is transformed to byte[] without using "UTF-8"
> ------------------------------------------------------------------------
>
> Key: DIRSERVER-772
> URL: http://issues.apache.org/jira/browse/DIRSERVER-772
> Project: Directory ApacheDS
> Issue Type: Bug
> Reporter: Emmanuel Lecharny
>
> The credentials declared in the server.xml files are read as a byte array
> during the server initialization.
> However, if we don't change that in the next version, we must fix the
> conversion from String to byte[], because the user's default encoding may be
> different from UTF-8, which is the server.xml file's encoding. The piece of
> code that read the credential is :
> ...
> Object value = env.get( Context.SECURITY_CREDENTIALS );
> if ( value == null )
> {
> credential = null;
> }
> else if ( value instanceof String )
> {
> credential = ( ( String ) value ).getBytes();
> }
> Here, we should have something like :
> credential = ( ( String ) value ).getBytes( "UTF-8" );
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
