From: Ofir R. <of...@ql...> - 2006-01-09 11:42:47
|
On Monday 09 January 2006 05:42, Kris Buytaert wrote: > My next question however is.. do passwords really belong in a database > in cleartext ? I agree that this is not ideal, but to have access to these clear text passwords you would need either: 1. root user to the openQRM server - since this gives you access to the tomcat configuration file, you can override the "security settings" there. 2. database access at the same level as the QRM server - and then you can make any user a "super user" (or wreak havoc in many different ways). We are focusing more on providing different methods of user authentication (like integration with an LDAP server) then on encrypting the database passwords. I hope this answered your question. More comments are very welcome. Regards, Ofir |