How to secure password in data sources is in document - Synapse_Samples_Setup.html under section Securing Password and Setting up Synapse DataSources . I will try to add this to VFS too.
Indika On Mon, Apr 6, 2009 at 7:28 AM, Kim Horn <[email protected]> wrote: > Are these security fixes for Data source going into 1.3 ? > If not then an interim hack really needs to be done; we just cannot use > Synapse at all with passwords in Clear Text. > Suggestions: > > 1) Implement an interface that does de-cryption; so user can supply > Their own code whatever that is. So specify a decrypt method that takes a > string and returns a string. > > 2) To fix Data sources add a parameter: > <decryption-class>class-Name</ decryption-class> > - this takes the supplied password in current <password> tag and gets the > decrypted password from class above. > > 3) To fix VFS need to supply new set of URL options: > <host-path>host-name:port/path</host-path> > <user>synapse</user> > <password>encrypted-password</password> > <decryption-class>class-Name</ decryption-class> > > - given the above the current <parameter name="transport.vfs.FileURI"> can be > built. > To be consistent with the strange VFS parameters the above can be changed to > something like: > > <parameter name="transport.vfs.hostPath>host-name:port/path</parameter> > <parameter name="transport.vfs.user>username</parameter> > <parameter name="transport.vfs.password>encrypted-password</parameter> > <parameter name="transport.vfs.decryptionClass>class-Name</parameter> > > > If people agree to this I will create a Jira and start to do the work. > > > Kim > > > > > > -----Original Message----- > From: Andreas Veithen [mailto:[email protected]] > Sent: Friday, 3 April 2009 5:54 AM > To: [email protected] > Subject: Re: Can VFS SFTP Passwords be encrypted > > I agree that it should be possible to use all Synapse features without > having to store cleartext passwords in the config files (and without > having them appear in log files). > > Just some random ideas about this topic: > > * Indika implemented a mechanism for exactly this, but for the moment > this is limited to data sources. There is some documentation about > this feature, but it is somewhat hidden in the Sample Setup guide. We > should have this documentation in a more prominent place. Maybe as a > subsection in the new Deployment guide? > > * As an alternative to usernames and passwords encoded in URLs, > Commons VFS supports authentication by passing a > org.apache.commons.vfs.UserAuthenticator object to the file system > provider. Maybe we should define a property in the message context to > allow to pass such an object to the transport. Alternatively we could > write an adapter so that we can handle e.g. HTTPS and VFS > authentication in the same way. > > * We should then have a mediator that builds the UserAuthenticator > using the password encryption mechanisms implemented by Indika. > > Any thoughts? > > Andreas > > On Thu, Apr 2, 2009 at 00:34, Kim Horn <[email protected]> wrote: >> It may, we are given simple text passwords by systems we have to >> interface too. FTP is still the largest B2B mechanism in the US :-). We >> cannot ask them to supply us anything else but a simple >> username/password; this is the reality of B2B. The only issue we have >> is that these are not kept in clear text in script files. In our domain >> this is illegal and in all other domains bad practise. So all we >> require is to be able to have these encrypted in any script files. I >> think this Jira suggests a stronger mechanism, sharing keys between SFTP >> servers, but is totally impractical in real world B2B. >> >> >> Kim >> >> -----Original Message----- >> From: Asankha Perera [mailto:[email protected]] On Behalf Of >> Asankha C. Perera >> Sent: Thursday, 2 April 2009 3:48 AM >> To: [email protected] >> Subject: Re: Can VFS SFTP Passwords be encrypted >> >> Hi Jay / Kim >>> A suggestion. SFTP can use PKI shared keys for authentication. The >> keys are host+user specific. >>> >>> I am not familiar enough with Synapse to know exactly how you'd go >> about it, but I do suggest that the answer lies in using PKI. >>> >> I guess https://issues.apache.org/jira/browse/SYNAPSE-507 is a proper >> solution for this.. and possibly we could already tweak VFS to do this.. >> >> cheers >> asankhaa >> >> -- >> Asankha C. Perera >> AdroitLogic, http://adroitlogic.org >> >> http://esbmagic.blogspot.com >> >> >> >> >> >
