[
https://issues.apache.org/jira/browse/CONNECTORS-737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13701680#comment-13701680
]
Karl Wright commented on CONNECTORS-737:
----------------------------------------
The strategy I will use to fix this is as follows:
(a) Write a class that is referenced by the session bean, which mints password
replacement values, and knows how to revert them. API:
String convert(String passwordValue)
String revert(String newPasswordValue)
(b) Revise API for all UI-related connector methods to include an IUIActivities
object. IUIActivities object initially has just the convert/revert methods.
(c) Revise connectors to use new method form, a connector at a time.
> passwords handling in Manifold
> ------------------------------
>
> Key: CONNECTORS-737
> URL: https://issues.apache.org/jira/browse/CONNECTORS-737
> Project: ManifoldCF
> Issue Type: Wish
> Components: Active Directory authority, GoogleDrive connector
> Affects Versions: ManifoldCF 1.2
> Reporter: Maciej Lizewski
> Assignee: Karl Wright
> Fix For: ManifoldCF next
>
>
> Currently you can see stored passwords in HTML body of the page which is
> quite big security hole. We could rewrite it so that the field is presented
> with some predefined constant string, like "###########" (only to show the
> field with some entered text). Then in process*Post handlers we should check
> if someone entered anything different here and only in such case overwrite
> previously stored password. When posted value is equal to "###########" - we
> leave previous password in configuration intact.
> this applies to almost all connectors...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
