[
http://jira.codehaus.org/browse/MRM-821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=137156#action_137156
]
Adrian Hempel, Atlassian commented on MRM-821:
----------------------------------------------
I'm concerned that doing this would only provide the appearance of security,
rather than actual security. Providing a false sense of security can be worse
than no security at all.
Archiva needs the cleartext password to send to the proxy, so it would need to
use reversible encryption, rather than the kind of one-way hash function that
is typically used to protect password files. The decryption algorithm would be
freely available, as it would be in the Archiva code, which is available to
anyone. So, anyone with access to the file and basic Java skills would be able
to decrypt your password without too much difficulty.
Instead, you should protect your Archiva configuration with appropriate file
system permissions.
> Encrypt network proxy password on archiva.xml
> ---------------------------------------------
>
> Key: MRM-821
> URL: http://jira.codehaus.org/browse/MRM-821
> Project: Archiva
> Issue Type: Improvement
> Components: remote proxy
> Affects Versions: 1.0.2
> Environment: ANY
> Reporter: Felipe Requeno
>
> It is common to most of companies to provide Internet Services through
> network proxies. But it is unlikely to have anonymous access on such nodes.
> Archiva stores passwords in a plain text format, generating a security risk
> or security flaw.
> It is really critical to have a encrypted password on Archiva's configuration
> file.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
