]
Marcus Moyses updated SECURITY-292:
-----------------------------------
Fix Version/s: JBossSecurity_2.0.4.SP5
(was: JBossSecurity_2.0.4.SP4)
org.jboss.security.plugins.FilePassword requires write permission for
decoding
------------------------------------------------------------------------------
Key: SECURITY-292
URL:
https://issues.jboss.org/browse/SECURITY-292
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.1.GA, 2.0.2-BETA, 2.0.1-BETA1, 2.0.1-BETA2, 2.0.2-BETA3,
2.0.2-BETA4, 2.0.2-BETA5, 2.0.2-BETA6, 2.0.2.Beta7, JBossSecurity_2.0.2.CR1, 2.0.2.CR2,
2.0.2.CR3, 2.0.2.CR4, 2.0.2.CR5, 2.0.2.CR6, 2.0.2.CR7, 2.0.2.CR8
Environment: JBoss AS 4.2.3.GA
Reporter: Alan Feng
Assignee: Marcus Moyses
Priority: Minor
Fix For: JBossSecurity_2.0.4.SP5, PicketBox_v4_0_alpha3
Attachments: SECURITY-292.patch
We use org.jboss.security.plugins.FilePassword to avoid storing passwords in clear text.
Once created, we'd like to change the file's permission to read-only for regular
users in order to ensure that only trusted users can update it.
However, this won't work as the class FilePassword always requires write permission
even for decoding the password. The class should be modified so that write permission is
only required when create / update the password file.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: