[
https://issues.apache.org/jira/browse/OFBIZ-9966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16240286#comment-16240286
]
Jacques Le Roux commented on OFBIZ-9966:
----------------------------------------
This was dicussed in https://s.apache.org/FKCQ
> Secure the login.secret_key_string
> ----------------------------------
>
> Key: OFBIZ-9966
> URL: https://issues.apache.org/jira/browse/OFBIZ-9966
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 16.11.04
>
>
> When OFBIZ-4983 was implemented I missed that we put the
> login.secret_key_string as a property in security properties. This should not
> have been because it eases attackers work.
> The recommended way is to have it as a private static final String that can
> be changed just when compiling using sed and uuidgen. So then the key is
> temporay and final and it gets quite harder for a possible attacker to use
> this mean.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
