[jira] Commented: (JCR-2697) Add support for encrpted db password in repository.xml

Jervis Liu (JIRA) Wed, 04 Aug 2010 00:54:44 -0700

    [ 
https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895175#action_12895175
 ]


Jervis Liu commented on JCR-2697:
---------------------------------

I am not an expert in security, so I did a bit research and found following:

1. Encrypt password using MD5 or SHA-1 etc, then configure the underlying 
database to let it know the password passed in is encrypted. Similiar to this 
post tried to achieve:
http://www.coderanch.com/t/307198/JDBC/java/Encrypted-Password-Oracle-JDBC

The problem for this approach is that the database configuration part can be 
very db specific or even version specific. If this is true, it will be very 
hard for us to maintain.

2. Most application servers have a way to store database password as encrypted 
other than in plain text. For example, this is how it is done in JBOSS AS: 
http://community.jboss.org/wiki/encryptingdatasourcepasswords

I wonder if it is possible to do similar things in JackRabbit, eg, we delegate 
the db authentication part in repository.xml to another JAAS module (in the 
example above, the SecureIdentityLoginModule). But please do not ask me how 
SecureIdentityLoginModule is implemented, I have not figured this out yet. 

Please comment. 



> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Priority: Critical
>
> Basically this is same to the issue 
> https://issues.apache.org/jira/browse/JCR-2673. I can not reopen JCR-2673, so 
> I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed 
> to store password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the 
> requirement is clear. 
> Thanks.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2697) Add support for encrpted db password in repository.xml

Reply via email to