[jira] [Commented] (JCR-2697) Add support for encrpted db password in repository.xml

Mon, 08 Aug 2011 09:04:53 -0700 

    [ 
https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13081020#comment-13081020
 ] 

Jukka Zitting commented on JCR-2697:
------------------------------------

As you say, proper encryption in this case is impossible without some 
out-of-band source of the encryption key. And providing something like that is 
IMHO outside the scope of Jackrabbit. Should a more secure setup like that be 
needed, my recommendation would be to configure the database connection in JNDI 
with a container that supports such a setup and then just point Jackrabbit to 
that data source.

The Base64 approach I added is pretty much equivalent to the approach used by 
JBoss, I just use base64 instead of a more complicated encoding based on some 
hardcoded key. I actually prefer this approach to the one used by JBoss, as it 
makes it obvious that the only benefit over plain text passwords is security by 
obscurity.

Ideally I wouldn't even have implemented anything like this, but I keep hearing 
this complaint too often from people who also agree that not allowing plain 
text passwords for something like this is silly but enforced by some fixed 
policy they can't change.


> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Assignee: Jukka Zitting
>            Priority: Critical
>             Fix For: 2.3.0
>
>
> Basically this is same to the issue 
> https://issues.apache.org/jira/browse/JCR-2673. I can not reopen JCR-2673, so 
> I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed 
> to store password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the 
> requirement is clear. 
> Thanks.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to