Jetspeed 2.1.2 still uses a simple scramble algorithm for stored SSO passwords - not too secure if the password store gets captured from the DB.
It seems that Roger Ruttimann implemented it like that temporarily until there was an API and UI for handling encryption/re-encryption of the SSO credentials (as with MS Sharepoint). But no improvement ever happened (maybe because the issue was closed). Anyone know if a secure encrypted credential store is planned, so that SSO is safer to use in real deployments? Also, when using the SSO IFrame portlet, changing the password with Edit after you Save your username for a remote system works fine. But if you make a mistake and save the wrong username, you can't then change the username (updateCredentialsForSite). Only the admin can do this, by deleting the J2 user entry from the remote site with the SSO management portlet. Am I doing something wrong here or is it a bug?
