[jbosstools-issues] [JBoss JIRA] (JBIDE-10490) do not store server passwords in plain text

Rob Stryker (Commented) (JIRA) jira-events at lists.jboss.org
Thu Dec 22 10:33:09 EST 2011 

    [ https://issues.jboss.org/browse/JBIDE-10490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12652841#comment-12652841 ] 

Rob Stryker commented on JBIDE-10490:
-------------------------------------

Having a hard time coming up with ways to ensure this is correct and secure, really. Unfortunately, the methods where we set a password are only performed on working copies of the server. For example, in the editor. Editors obviously must be saved to persist the changes. However there is no servertools API to get a delta when a server object has changed. We can't know what keys have changed, and we can't respond to the change.  Not really. 

If a user is editing something in the server editor, such as credentials, I only really have two options. I can save the new username / password combo every time they push a keystroke. This, obviously, does not go along with the idea of a working copy at all. It'd be persisting changes before the user has saved the editor, and, if the user cancels the editor without saving, we have no way to reverse it. 

The other option is to only store it inside the server in plain text, as is done now. Then, on a server save, get the value stored in the server, put it into secure storage, and clear it from the server object. 

Both of these seem absolutely 100% horrible. 
                
> do not store server passwords in plain text
> -------------------------------------------
>
>                 Key: JBIDE-10490
>                 URL: https://issues.jboss.org/browse/JBIDE-10490
>             Project: Tools (JBoss Tools)
>          Issue Type: Bug
>          Components: JBossAS/Servers
>            Reporter: Max Rydahl Andersen
>            Assignee: Rob Stryker
>            Priority: Blocker
>             Fix For: 3.3.0.Beta1
>
>
> last time we looked at this passwords were still being stored "unsafely"  - opening this to make sure we get that fixed by using eclipse's  secure storage apis

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbosstools-issues mailing list