[vqwiki-dev] VQW-78 - do not store passwords in plain text

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Comment by Martijn van der Kleijn [20-04-2006 12:00]
 >Not for version 2.7.8.
 >
 >We already have a lot of things to test for release 2.7.8, so much so 
 >that I might have to relabel it to 2.8.0 ;-)

Hi Martijn,

Are you 100% against including this feature for 2.7.8?  I've implemented 
it to be optional, the code is working and tested locally, and I'll 
continue to test over the coming days.  More importantly, in the last 
eight years I've never worked at a company where it would be OK to both 
store plain-text passwords in property files and display plain-text 
passwords on an admin screen, so this seems like kind of a big issue.  I 
wanted to attach a diff to this email but Sourceforge CVS seems to be 
down so I've just included some of the relavent new methods at the end 
of this email and attached the new Encryption.java class so you can take 
a look - the changes are fairly small, with the most intrusive element 
being a new message in the various ApplicationResources.properties files 
for the admin screen label.

As a side note, when you say "we already have a lot of things to test 
for release 2.7.8", what do you envision for the testing process?  I've 
been using the latest code locally and haven't encountered any 
surprises, and I think Andreas is using the latest code at his company 
as well.  What additional testing did you have in mind?  I'm obviously 
planning to do a run-through of everything after the code freeze, but I 
get the sense that there aren't really any major bugs lurking (hopefully 
that doesn't jinx us!).

Cheers,

Ryan

/**
  *
  */
public boolean getEncodePasswords() {
     return getBooleanSetting(PROPERTY_ENCODE_PASSWORDS);
}

/**
  *
  */
public void setEncodePasswords(boolean encode) throws Exception {
     // get passwords prior to changing encryption
     String adminPassword = this.getAdminPassword();
     String dbPassword = this.getPassword();
     String smtpPassword = this.getSmtpPassword();
     String userGroupPassword = this.getUserGroupPassword();
     // change encryption
     setSetting(PROPERTY_ENCODE_PASSWORDS, encode);
     // re-set passwords with changed encryption
     setAdminPassword(adminPassword);
     setPassword(dbPassword);
     setSmtpPassword(smtpPassword);
     setUserGroupPassword(userGroupPassword);
}

/**
  *
  */
public String getPassword() {
     if (getBooleanSetting(PROPERTY_ENCODE_PASSWORDS)) {
         return Encryption.decrypt(getStringSetting(PROPERTY_PASSWORD));
     }
     return getStringSetting(PROPERTY_PASSWORD);
}