[
https://issues.apache.org/jira/browse/JSPWIKI-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14146378#comment-14146378
]
Glen Mazza commented on JSPWIKI-205:
------------------------------------
"...which is encrypted with a masterkey (which is buried in the wiki code)."
You mean put the key in the JSPWiki source code, publicly available on the 'Net
for all to see? That would appear to make the security meaningless if I'm
understanding you correctly.
I'm not sure what use case this JIRA item proposes to solve. In cases where
someone has read access to the directory containing this password file but not
access to see the passwords themselves, can't the operating system directory
and/or file permissions be set so that person can't access the file? I would
think this issue could be fixed just by setting OS permissions correctly.
Further, assuming you have some admin who is allowed to access the directory
containing the file with the passwords, but is not allowed to have access to
the passwords in the file themselves, being an admin, what's to prevent him
from granting himself the right to view the passwords anyway on the Wiki?
This issue appears to be just a subset of a more generalized problem of how to
limit the admin from seeing pages by viewing the directory files that he
doesn't have rights to see via the Wiki. I don't think that is solvable (or
needs to be solved) because the admin, perhaps by definition, is someone with
access and control over the entire Wiki.
> Obfuscate on disk content type
> ------------------------------
>
> Key: JSPWIKI-205
> URL: https://issues.apache.org/jira/browse/JSPWIKI-205
> Project: JSPWiki
> Issue Type: Improvement
> Components: Core & storage
> Reporter: Chris Lialios
> Priority: Trivial
> Attachments: BasicOverview.doc, EncryptingProviderSource.zip,
> encryption.patch, encryption.patch, encryption.patch, encryption.patch
>
>
> We would like to store passwords within the wiki pages.
> Securing the page is trivial, however the contents on disk remain clear text.
> It would be very nice to have a page type that could be stored in an
> obfuscated form on disk.
> As an addition have a secondary password to display/edit the encrypted
> contents on disk for those who do not want to use wiki security on the page.
> I suspect this will have potentially drastic effects on the revisions
> process, but it would be a small price to pay for security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
