[jboss-jira] [JBoss JIRA] Resolved: (SECURITY-292) org.jboss.security.plugins.FilePassword requires write permission for decoding
Marcus Moyses (JIRA)
jira-events at lists.jboss.org
Tue Jan 4 10:45:19 EST 2011
[ https://issues.jboss.org/browse/SECURITY-292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcus Moyses resolved SECURITY-292.
------------------------------------
Fix Version/s: JBossSecurity_2.0.4.SP4
PicketBox_v4_0_alpha3
Resolution: Done
Applied proposed patch
> org.jboss.security.plugins.FilePassword requires write permission for decoding
> ------------------------------------------------------------------------------
>
> Key: SECURITY-292
> URL: https://issues.jboss.org/browse/SECURITY-292
> Project: PicketBox (JBoss Security and Identity Management)
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.1.GA, 2.0.2-BETA, 2.0.1-BETA1, 2.0.1-BETA2, 2.0.2-BETA3, 2.0.2-BETA4, 2.0.2-BETA5, 2.0.2-BETA6, 2.0.2.Beta7, JBossSecurity_2.0.2.CR1, 2.0.2.CR2, 2.0.2.CR3, 2.0.2.CR4, 2.0.2.CR5, 2.0.2.CR6, 2.0.2.CR7, 2.0.2.CR8
> Environment: JBoss AS 4.2.3.GA
> Reporter: Alan Feng
> Assignee: Marcus Moyses
> Priority: Minor
> Fix For: JBossSecurity_2.0.4.SP4, PicketBox_v4_0_alpha3
>
> Attachments: SECURITY-292.patch
>
>
> We use org.jboss.security.plugins.FilePassword to avoid storing passwords in clear text. Once created, we'd like to change the file's permission to read-only for regular users in order to ensure that only trusted users can update it.
> However, this won't work as the class FilePassword always requires write permission even for decoding the password. The class should be modified so that write permission is only required when create / update the password file.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list