Hi Victor,

> Am I missing something or this is highly insecure? Anyone gaining access to
> the database has access to all the passwords instantly, right?

Well, not "instantly" because they are not clear text, but anyway easily 
decodable.
The lines of code you linked were indeed a reminder to make that key 
customizable.

Anyway we're moving toward having GeoFence integrated into GeoServer, and in 
such enviroment GF uses GS users set, where the beans involved with this 
security issue are not used.

Please feel free to provide a PR to fix this issue.


   Thanks,
   Emanuele


Alle 13:12:27 di Wednesday 12 October 2016, Víctor González ha scritto:
> Hello,
> 
> I was looking at decrypting externally a users database managed by GeoFence
> and I found this:
> 
> https://github.com/geoserver/geofence/blob/master/src/
> services/core/model/src/main/java/org/geoserver/geofence/
> core/model/util/PwEncoder.java#L25
> https://github.com/geoserver/geofence/blob/master/src/
> services/core/persistence/src/main/java/org/geoserver/
> geofence/core/dao/util/PwEncoder.java#L26
> 
> Am I missing something or this is highly insecure? Anyone gaining access to
> the database has access to all the passwords instantly, right?
> 
> If so, would it work to simply replace it with this?
> 
>   private static final byte[] KEY;
>   static {
>     String strKey = System.getProperty("GEOFENCE_PWENCODER_KEY");
>     if (strKey == null) {
>       strKey = "installation dependant key needed";
>     }
>     KEY = strKey.substring(0, 16).getBytes();
>   }
> 
> Regards,
> Víctor.


-- 
==
GeoServer Professional Services from the experts! 
Visit http://goo.gl/NWWaa2 for more information.
==

Ing. Emanuele Tajariol
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax:    +39 0584 1660272
mob:   +39  380 2116282 

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to