[jira] [Updated] (OFBIZ-9966) Secure the login.secret_key_string

Jacopo Cappellato (JIRA) Tue, 02 Jan 2018 10:26:22 -0800

     [ 
https://issues.apache.org/jira/browse/OFBIZ-9966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jacopo Cappellato updated OFBIZ-9966:
-------------------------------------
    Fix Version/s:     (was: 16.11.04)

> Secure the login.secret_key_string
> ----------------------------------
>
>                 Key: OFBIZ-9966
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9966
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> When OFBIZ-4983 was implemented I missed that we put the 
> login.secret_key_string as a property in security properties. This should not 
> have been because it eases attackers work.
> The recommended way is to have it as a private static final String that can 
> be changed just when compiling using sed and uuidgen. So then the key is 
> temporay and final and it gets quite harder for a possible attacker to use 
> this mean.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (OFBIZ-9966) Secure the login.secret_key_string

Reply via email to