On 03.04.2013 17:23, Pierre-Arnaud Marcelot wrote: > Thanks Jeff. > > I did look at that before working on it. > But, as far as I remember it was requiring a more recent version of Eclipse > (3.5 maybe, I don't remember exactly) than what we currently support (3.3 I > guess). > So the API is not available. > > The fact that you don't need to provide a password to read the data is > interesting and that's exactly why I chose to make this optional in Studio. > I really think most of our users don't want to be asked a password when > connecting to a server. > But for people dealing with very sensitive server connection, the passwords > keystore is a must have.
Hm, I wonder why we need to stick with the 3.3 API? I mean that version is more then 5 years old. And the RCP application is already up-to-date and used version 3.8. > On 3 avr. 2013, at 17:10, Jeff MAURY <[email protected]> wrote: > >> Please note that Eclipse provides such a functionality out of the box. The >> secure storage is managed by Eclipse and you just need to save your >> sensitive configuration data (password). There is no need to provide a >> password when reading the data (at least on Windows at Eclipse has an >> integration with the Windows authentication layer). >> I have used it in my Eclipse based product, and for security reasons, I >> choose to make it non optional. >> >> Jeff >> >> >> On Wed, Apr 3, 2013 at 10:43 AM, Pierre-Arnaud Marcelot <[email protected]> >> wrote: >> In the past week, I've been working on a interesting and very important >> feature for Apache Directory Studio: secure storage of connections passwords >> into a password-protected keystore. >> >> At the moment, when you check the "Save password" checkbox in the properties >> of a connection, that password gets saved in the connections file alongside >> other parameters like host, port, etc. >> The problem is that the password is saved in clear text in the file and that >> could be an issue for some users. >> >> So, the idea is to have an option (disabled by default) in Apache Directory >> Studio to save the passwords of the connections in a keystore protected by a >> "master password". This password would be asked when accessing the password >> of a connection (opening a connection for example). >> >> This is a very low-level addition in Studio's code and a very sensitive >> refactoring, so I'm extra cautious here. >> >> I really think we can't release a 2.0 version of Studio without this kind of >> functionality. It's really a must-have. I agree that we need such a thing. I feel ashamed and careless that I implemented the password saving without proper security back then :( Kind Regards, Stefan
