[ https://issues.apache.org/jira/browse/OFBIZ-9966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacopo Cappellato updated OFBIZ-9966: ------------------------------------- Fix Version/s: (was: 16.11.04) > Secure the login.secret_key_string > ---------------------------------- > > Key: OFBIZ-9966 > URL: https://issues.apache.org/jira/browse/OFBIZ-9966 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Minor > > When OFBIZ-4983 was implemented I missed that we put the > login.secret_key_string as a property in security properties. This should not > have been because it eases attackers work. > The recommended way is to have it as a private static final String that can > be changed just when compiling using sed and uuidgen. So then the key is > temporay and final and it gets quite harder for a possible attacker to use > this mean. -- This message was sent by Atlassian JIRA (v6.4.14#64029)