On Fri, Mar 15, 2013 at 5:24 PM, Christian Mueller <
[email protected]> wrote:
> If I try to get some information about a data store using REST, the
> response contains encrypted data store passwords.
>
> Some snippets, executing
>
> curl -v -u admin:geoserver -XGET
> http://localhost:8080/geoserver/rest/workspaces/acme/datastores/nync.xml
>
> results in
> ...
> <entry key="passwd">crypt1:pw5lO+WAt6nThMc1cywD3Q==</entry>
> <entry key="dbtype">postgis</entry>
> ...
>
> Even worse, doing the same REST call again, the encrypted password is
> different. (This is because we use a salt and the plain text password is
> encrypted for each REST call).
>
> IMHO, I would expect the plain text password, the cipher text is quite
> useless.
>
> Opinions ?
>
I agree, returning the crypted password seems like a bug to me. These
operations are
protected and only an admin can access them anyways.
Either that, or we should avoid returning the password at all...
Cheers
Andrea
--
==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
