On 16/07/2021 00:25, Greg Wilkins wrote:
John,
Not secure at all, nor is it intended to be.
The issue is that if the server is to be started automatically without
the need to enter a passphrase, then encryption cannot be used since the
server needs to provide the keystore passwords at runtime. OBF is
simply a way to put the pass phrases into a configuration file so that a
casual observer looking over your shoulder cannot easily remember the
configured passwords. MD5 cannot be used at all in this situation (it
is provided for checking things like BASIC authentication where a
credential is sent over "the wire" but we want to avoid storing such
credentials on the server, so we check the MD5 of the provided
credential with the stored MD5).
Ah, I misread -- I was thinking of password authentication when I read
it. Apols.
--
John English
_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
