[
https://issues.apache.org/jira/browse/CONNECTORS-737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13701969#comment-13701969
]
Karl Wright commented on CONNECTORS-737:
----------------------------------------
Hi Maciej,
Comparing against the "stored" value is what does not work, because there may
well be no "stored" value. Obfuscation is reversible, but it's not very
secure, and it is quite easy to come up with a password that can be
deobfuscated into garbage. So I don't think that's going to work.
> passwords handling in Manifold
> ------------------------------
>
> Key: CONNECTORS-737
> URL: https://issues.apache.org/jira/browse/CONNECTORS-737
> Project: ManifoldCF
> Issue Type: Wish
> Components: Active Directory authority, GoogleDrive connector
> Affects Versions: ManifoldCF 1.2
> Reporter: Maciej Lizewski
> Assignee: Karl Wright
> Fix For: ManifoldCF next
>
>
> Currently you can see stored passwords in HTML body of the page which is
> quite big security hole. We could rewrite it so that the field is presented
> with some predefined constant string, like "###########" (only to show the
> field with some entered text). Then in process*Post handlers we should check
> if someone entered anything different here and only in such case overwrite
> previously stored password. When posted value is equal to "###########" - we
> leave previous password in configuration intact.
> this applies to almost all connectors...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
