Yeah I was wrong, it isn't encrypted when displayed in webtools. I guess the rationale is that if you've got access to webtools then you can pretty much do anything you like, even if they were displayed encrypted the user would also have access to the key that was used to encrypt them anyway.
Passwords are different because they are one-way encrypted. Regards Scott On 29/01/2011, at 9:42 AM, Stephen Rufle wrote: > But if you can ever see them in webtools isn't that an issue. I thought they > should be treated the same as passwords. > > My example was from logging in as admin then going to > https://demo-trunk.ofbiz.apache.org:8443/webtools/control/FindGeneric?entityName=CreditCard&find=true&VIEW_SIZE=50&VIEW_INDEX=0 > > On 1/28/2011 1:17 PM, Scott Gray wrote: >> It's a two-way encryption (for obvious reasons), I'm pretty sure the >> numbers remain encrypted when viewed through webtools but are >> purposely decrypted when exporting the table to facilitate database >> migrations and the like. >> >> Regards Scott >> >> HotWax Media http://www.hotwaxmedia.com >> >> On 29/01/2011, at 3:36 AM, Stephen Rufle wrote: >> >>> I created Credit Card entries using OfBiz 10.04. In the Web Tools >>> and when I export to XML I can see the credit card number I entered >>> in plain text. I expected that they would show up like >>> UserLogin.currentPassword. I am currently using test card numbers. >>> Is it possible there is a property file setting I am missing? >>> Otherwise it looks like if a malicious user was able to get access >>> to the "Web Tools" application they could steal credit card >>> numbers. >>> >>> I checked the credit_card database table using a sql tool and the >>> values do look encrypted in some way, but unlike the user_login >>> table it does not have an SHA prefix "{SHA}[long string of >>> digits]" >>
smime.p7s
Description: S/MIME cryptographic signature
