Hello,

I was looking at decrypting externally a users database managed by GeoFence
and I found this:

https://github.com/geoserver/geofence/blob/master/src/
services/core/model/src/main/java/org/geoserver/geofence/
core/model/util/PwEncoder.java#L25
https://github.com/geoserver/geofence/blob/master/src/
services/core/persistence/src/main/java/org/geoserver/
geofence/core/dao/util/PwEncoder.java#L26

Am I missing something or this is highly insecure? Anyone gaining access to
the database has access to all the passwords instantly, right?

If so, would it work to simply replace it with this?

  private static final byte[] KEY;
  static {
    String strKey = System.getProperty("GEOFENCE_PWENCODER_KEY");
    if (strKey == null) {
      strKey = "installation dependant key needed";
    }
    KEY = strKey.substring(0, 16).getBytes();
  }

Regards,
Víctor.

-- 
Víctor González
http://geomati.co
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to