[vqwiki-dev] VQW-78 - do not store passwords in plain text
Status: Abandoned
Brought to you by:
mteodori
From: Ryan H. <rya...@gm...> - 2006-04-20 20:52:30
|
Comment by Martijn van der Kleijn [20-04-2006 12:00] >Not for version 2.7.8. > >We already have a lot of things to test for release 2.7.8, so much so >that I might have to relabel it to 2.8.0 ;-) Hi Martijn, Are you 100% against including this feature for 2.7.8? I've implemented it to be optional, the code is working and tested locally, and I'll continue to test over the coming days. More importantly, in the last eight years I've never worked at a company where it would be OK to both store plain-text passwords in property files and display plain-text passwords on an admin screen, so this seems like kind of a big issue. I wanted to attach a diff to this email but Sourceforge CVS seems to be down so I've just included some of the relavent new methods at the end of this email and attached the new Encryption.java class so you can take a look - the changes are fairly small, with the most intrusive element being a new message in the various ApplicationResources.properties files for the admin screen label. As a side note, when you say "we already have a lot of things to test for release 2.7.8", what do you envision for the testing process? I've been using the latest code locally and haven't encountered any surprises, and I think Andreas is using the latest code at his company as well. What additional testing did you have in mind? I'm obviously planning to do a run-through of everything after the code freeze, but I get the sense that there aren't really any major bugs lurking (hopefully that doesn't jinx us!). Cheers, Ryan /** * */ public boolean getEncodePasswords() { return getBooleanSetting(PROPERTY_ENCODE_PASSWORDS); } /** * */ public void setEncodePasswords(boolean encode) throws Exception { // get passwords prior to changing encryption String adminPassword = this.getAdminPassword(); String dbPassword = this.getPassword(); String smtpPassword = this.getSmtpPassword(); String userGroupPassword = this.getUserGroupPassword(); // change encryption setSetting(PROPERTY_ENCODE_PASSWORDS, encode); // re-set passwords with changed encryption setAdminPassword(adminPassword); setPassword(dbPassword); setSmtpPassword(smtpPassword); setUserGroupPassword(userGroupPassword); } /** * */ public String getPassword() { if (getBooleanSetting(PROPERTY_ENCODE_PASSWORDS)) { return Encryption.decrypt(getStringSetting(PROPERTY_PASSWORD)); } return getStringSetting(PROPERTY_PASSWORD); } |