[
https://issues.apache.org/jira/browse/CONNECTORS-737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13693870#comment-13693870
]
Karl Wright commented on CONNECTORS-737:
----------------------------------------
Hi Maciej,
The current security model basically presumes that there is one user of the
ManifoldCF UI, or at least that all users of the ManifoldCF UI have similar
levels of authority as far as knowledge of passwords is concerned. Using the
"password"-type HTML form element is simply to prevent people seeing passwords
on the screen looking over somebody's shoulder.
So I guess the point is that if we wanted a more robust model for user
security, there are probably a lot of things we'd want to change. For example,
you would probably want to grant individual users or user groups responsibility
for each connection (since that's where the passwords are), etc. It seems like
your fix is an overly narrow one, perhaps.
> passwords handling in Manifold
> ------------------------------
>
> Key: CONNECTORS-737
> URL: https://issues.apache.org/jira/browse/CONNECTORS-737
> Project: ManifoldCF
> Issue Type: Bug
> Reporter: Maciej Lizewski
>
> Currently you can see stored passwords in HTML body of the page which is
> quite big security hole. We could rewrite it so that the field is presented
> with some predefined constant string, like "###########" (only to show the
> field with some entered text). Then in process*Post handlers we should check
> if someone entered anything different here and only in such case overwrite
> previously stored password. When posted value is equal to "###########" - we
> leave previous password in configuration intact.
> this applies to almost all connectors...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
