Hi Victor,
> Am I missing something or this is highly insecure? Anyone gaining access to
> the database has access to all the passwords instantly, right?
Well, not "instantly" because they are not clear text, but anyway easily
decodable.
The lines of code you linked were indeed a reminder to make that key
customizable.
Anyway we're moving toward having GeoFence integrated into GeoServer, and in
such enviroment GF uses GS users set, where the beans involved with this
security issue are not used.
Please feel free to provide a PR to fix this issue.
Thanks,
Emanuele
Alle 13:12:27 di Wednesday 12 October 2016, Víctor González ha scritto:
> Hello,
>
> I was looking at decrypting externally a users database managed by GeoFence
> and I found this:
>
> https://github.com/geoserver/geofence/blob/master/src/
> services/core/model/src/main/java/org/geoserver/geofence/
> core/model/util/PwEncoder.java#L25
> https://github.com/geoserver/geofence/blob/master/src/
> services/core/persistence/src/main/java/org/geoserver/
> geofence/core/dao/util/PwEncoder.java#L26
>
> Am I missing something or this is highly insecure? Anyone gaining access to
> the database has access to all the passwords instantly, right?
>
> If so, would it work to simply replace it with this?
>
> private static final byte[] KEY;
> static {
> String strKey = System.getProperty("GEOFENCE_PWENCODER_KEY");
> if (strKey == null) {
> strKey = "installation dependant key needed";
> }
> KEY = strKey.substring(0, 16).getBytes();
> }
>
> Regards,
> Víctor.
--
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/NWWaa2 for more information.
==
Ing. Emanuele Tajariol
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax:+39 0584 1660272
mob: +39 380 2116282
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
---
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel