[
https://issues.apache.org/jira/browse/CONNECTORS-737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13701552#comment-13701552
]
Karl Wright commented on CONNECTORS-737:
----------------------------------------
This strategy won't work. It has the main problem that there are times where
the ONLY password value being tracked is in fact in the posted data, and there
is no other copy, e.g. new connections where there are multiple tabs. There's
also a problem of synchronization between multiple sessions, which will someday
be a blocker as well.
After some consideration, I believe that this issue can only properly be solved
by doing two things:
(a) Introduce sessions into the MCF crawler UI;
(b) Put existing values of passwords into session variables, in a map where
there's a key (which is actually what gets posted), and the current value.
> passwords handling in Manifold
> ------------------------------
>
> Key: CONNECTORS-737
> URL: https://issues.apache.org/jira/browse/CONNECTORS-737
> Project: ManifoldCF
> Issue Type: Wish
> Components: Active Directory authority, GoogleDrive connector
> Affects Versions: ManifoldCF 1.2
> Reporter: Maciej Lizewski
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.3
>
>
> Currently you can see stored passwords in HTML body of the page which is
> quite big security hole. We could rewrite it so that the field is presented
> with some predefined constant string, like "###########" (only to show the
> field with some entered text). Then in process*Post handlers we should check
> if someone entered anything different here and only in such case overwrite
> previously stored password. When posted value is equal to "###########" - we
> leave previous password in configuration intact.
> this applies to almost all connectors...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
