[
https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin....
]
Brett Meyer edited comment on SRAMP-380 at 7/28/14 8:54 AM:
------------------------------------------------------------
Pasting some comments from [~eric.wittmann]:
{quote}
I'm skeptical that users.properties will be useful, although I hope I'm wrong.
The reason is that users.properties is the file used by fuse/jetty to set up the default
realm users and their roles. The format is:
username=password,csv,list,of,roles
I do not know if it can be used as a general place to stash encrypted values.
While it is great if they auto-encrypt the passwords in that file on startup that only
solves 1/2 of the problem. The other .5 is that we store passwords to other systems (e.g.
dtgov stores an s-ramp user/password combo) that our code needs to access to work
properly. RTGov client does the same thing (needs to store credentials of a potentially
remote rtgov server).
Again - hopefully I'm wrong but wanted you guys to understand the full scope.
In EAP what we do is store the passwords in the EAP Vault, which results in a vault-string
that we store in our .properties files as:
$\{vault:VAULT_STRING_HERE\}
We have a property resolver that knows how to resolve $\{vault:\} style properties from
our .properties files (custom property resolvers is a commons-config feature).
{quote}
was (Author: brmeyer):
Pasting some comments from [~eric.wittmann]:
{quote}
I'm skeptical that users.properties will be useful, although I hope I'm wrong.
The reason is that users.properties is the file used by fuse/jetty to set up the default
realm users and their roles. The format is:
username=password,csv,list,of,roles
I do not know if it can be used as a general place to stash encrypted values.
While it is great if they auto-encrypt the passwords in that file on startup that only
solves 1/2 of the problem. The other .5 is that we store passwords to other systems (e.g.
dtgov stores an s-ramp user/password combo) that our code needs to access to work
properly. RTGov client does the same thing (needs to store credentials of a potentially
remote rtgov server).
Again - hopefully I'm wrong but wanted you guys to understand the full scope.
In EAP what we do is store the passwords in the EAP Vault, which results in a vault-string
that we store in our .properties files as:
${vault:VAULT_STRING_HERE}
We have a property resolver that knows how to resolve ${vault:} style properties from our
.properties files (custom property resolvers is a commons-config feature).
{quote}
Passwords in clear text when running in Fuse 6.1
------------------------------------------------
Key: SRAMP-380
URL:
https://issues.jboss.org/browse/SRAMP-380
Project: S-RAMP
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Eric Wittmann
Assignee: David virgil naranjo
Fix For: 0.5.0
When we install into JBoss EAP we make sure that we don't have any clear text
passwords in any configuration files. This is made possible by using the Vault, which
allows us to store passwords in the vault and then refer to those vault locations from our
config files.
I don't know if there is something similar to be done in Fuse 6.1
In addition, the login credentials for supported users in EAP are not stored in clear
text (the EAP Application Realm config files store an encrypted version of the
passwords).
In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear
text.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)