Do not cache plain text passwords in credential cache or in LdapPrincipal
-------------------------------------------------------------------------
Key: DIRSERVER-1088
URL: https://issues.apache.org/jira/browse/DIRSERVER-1088
Project: Directory ApacheDS
Issue Type: Bug
Components: core
Affects Versions: 1.5.0, 1.5.1
Reporter: Alex Karasulu
Fix For: 1.5.2
It's really not a good idea to cache plain text passwords in memory which can
easily be comprimised with memory readers to enable password theft. The best
thing to do here in the short term is to disable caching if the password is
plaintext.
If caching is still desired then a temp key generated at startup can be used to
encrypt and decrypt plain text password when put into memory. Perhaps this is
the best option which still keeps performance.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
