How about we do what apple does... When connecting to a protected
wifi node, it won't show you the password unless you ask it to. This
prevents shoulder surfing but if you know your location is safe, you
can actually see what you typed. Also the key chain manager built
into the os allows you to see your stored passwords but you must
provide your paster password first.
Anyway, we could pop up a dialog box reminding the user that the
configuration file may contain sensitive information such as
passwords and do they really want to show it on the screen?
Alternatively, we could ask the user to re-authenticate themselves
before showing any sensitive information, but I'm not sure how you do
this in a web application.
-dain
On Nov 18, 2005, at 9:14 AM, Aaron Mulder wrote:
On 11/18/05, Dain Sundstrom <[EMAIL PROTECTED]> wrote:
Wait a sec. We are worried about an administrator that has access to
the console from seeing a password embedded an a configuration file?
The admin can deploy applications, which could easily just scan for
passwords in memory or on disk. Anyone with access to this console
is "root" for the geronimo instance.
Yeah, that's why I waffle. But for example, if you look at a database
pool in the console, it uses a password field and doesn't show you the
plain text. It's not that you can't get around this (via, say, view
source, if not writing your own code to inspect the GBeans), it's that
I'm not sure I like flagrantly popping up stuff with passwords right
there. You know, shoulder-surfing, or whatever.
Erin says some peolpe argue that no security is better than something
weak that gives you a false sense of security, but I also think
there's a place for defending against the casual observer.
Forget about the console for a sec. How many people will think to
make their config store directory non-world-readable? Sure you could
write some code to deserialize the stuff in there today, but if anyone
with an account on the box can just view a plain-text plan out of the
config store with the passwords, that's really "no security". (And
since every connector has different config params it's not so easy to
just mask out the password in every file we copy in there, though it
would be a good start to do it for any config-param where
name.toLowerCase().indexOf("password") > -1.)
Aaron
