But if you can ever see them in webtools isn't that an issue. I thought
they should be treated the same as passwords.
My example was from logging in as admin then going to
https://demo-trunk.ofbiz.apache.org:8443/webtools/control/FindGeneric?entityName=CreditCard&find=true&VIEW_SIZE=50&VIEW_INDEX=0
On 1/28/2011 1:17 PM, Scott Gray wrote:
It's a two-way encryption (for obvious reasons), I'm pretty sure the
numbers remain encrypted when viewed through webtools but are
purposely decrypted when exporting the table to facilitate database
migrations and the like.
Regards Scott
HotWax Media http://www.hotwaxmedia.com
On 29/01/2011, at 3:36 AM, Stephen Rufle wrote:
I created Credit Card entries using OfBiz 10.04. In the Web Tools
and when I export to XML I can see the credit card number I entered
in plain text. I expected that they would show up like
UserLogin.currentPassword. I am currently using test card numbers.
Is it possible there is a property file setting I am missing?
Otherwise it looks like if a malicious user was able to get access
to the "Web Tools" application they could steal credit card
numbers.
I checked the credit_card database table using a sql tool and the
values do look encrypted in some way, but unlike the user_login
table it does not have an SHA prefix "{SHA}[long string of
digits]"
