[
https://issues.apache.org/jira/browse/KARAF-4202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15465549#comment-15465549
]
Christian Schneider commented on KARAF-4202:
--------------------------------------------
There is no hardcoded password in this code. The code snippet shows the
definition of the constant for the key in a map that holds the password.
To me the issue looked a bit like it was automatically generated with a tool
without at least trying to validate the issue by looking into the code which is
pretty simple. So I was a bit in a bad mood when looking at all of these issues.
> Password Management: Hardcoded Password
> ---------------------------------------
>
> Key: KARAF-4202
> URL: https://issues.apache.org/jira/browse/KARAF-4202
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Assignee: Jean-Baptiste Onofré
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security scan on karaf source code.
> Analysis: Hardcoded passwords may compromise system security in a way that
> cannot be easily remedied.
> File:
> jaas/modules/src/main/java/org/apache/karaf/jaas/modules/syncope/SyncopeLoginModule.java
> Line: 47
> SyncopeLoginModule.java, lines 41-49:
> 41 public class SyncopeLoginModule extends AbstractKarafLoginModule {
> 42
> 43 private final static Logger LOGGER =
> LoggerFactory.getLogger(SyncopeLoginModule.class);
> 44
> 45 public final static String ADDRESS = "address";
> 46 public final static String ADMIN_USER = "admin.user"; // for the
> backing engine
> 47 public final static String ADMIN_PASSWORD = "admin.password"; // for
> the backing engine
> 48
> 49 private String address;
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
