[
https://issues.apache.org/jira/browse/SYNAPSE-376?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12677072#action_12677072
]
Eric Hubert commented on SYNAPSE-376:
-------------------------------------
I just wanted to add that there are definitely different levels of security
requirements. Some organizations do have strict requirements to use only
encrypted db passwords. The level of targeted protection is rather low. They
just want to take care that not every user with read permissions on some app
server config files is able to access a database directly. Even if this
encrypted password is created via a hard-coded passphrase in the source code of
the app server everything is fine as this would take some additional overhead
to find this out.
E.g. have a look at JBoss default solution:
http://kickjava.com/src/org/jboss/resource/security/SecureIdentityLoginModule.java.htm
It is just a hard coded passphrase in the source but for some environments this
is "enough" protection compared to a non-encrypted plain text password in a
config file.
Sounds strange? You call it security by obscurity? This are just my personal
experiences. ;-)
Maybe there should also be an option to go with a "default" passphrase used for
password encryption? Even if a master password would be stored in some other
file or keystore this might be sufficient for some users. One has to know where
to find a master passphrase and more importantly how to decrypt the encrypted
password (possibly by studying the source code). Much more overhead than taking
the plain text db password and accessing the db straight away, although not
highly secure.
But entering a password at startup from the commandline or via jmx is certainly
not an option for most of the users I'm aware of as well.
Just my 0.2 cents.
> Securing password in the datasource definition
> -----------------------------------------------
>
> Key: SYNAPSE-376
> URL: https://issues.apache.org/jira/browse/SYNAPSE-376
> Project: Synapse
> Issue Type: Improvement
> Reporter: indika priyantha kumara
> Assignee: indika priyantha kumara
> Fix For: FUTURE
>
>
> Currently ,passwords in the datasource definition are in clear text format.
> (In synapse.properties). Those have to be encrypted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
