You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/06/13 17:20:00 UTC

[jira] [Commented] (GEODE-1958) Remove PasswordUtil

    [ https://issues.apache.org/jira/browse/GEODE-1958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16048128#comment-16048128 ] 

ASF GitHub Bot commented on GEODE-1958:
---------------------------------------

GitHub user YehEmily opened a pull request:

    https://github.com/apache/geode/pull/578

    GEODE-1958: Removing PasswordUtil

    [View the original JIRA ticket here.](https://issues.apache.org/jira/browse/GEODE-1958)
    
    `PasswordUtil.java` contained methods used to encrypt a password to be stored in `cache.xml`, which was an unsafe way to handle security. As a result, most methods in `PasswordUtil.java` were removed _except_ `decrypt(String password)`, since we want to maintain backwards compatibility. `decrypt(String password)` has been deprecated, and references to encrypting passwords have been removed.
    
    Thank you for submitting a contribution to Apache Geode.
    
    In order to streamline the review of the contribution we ask you
    to ensure the following steps have been taken:
    
    ### For all changes:
    - [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
    
    - [ ] Has your PR been rebased against the latest commit within the target branch (typically `develop`)?
    
    - [ ] Is your initial contribution a single, squashed commit?
    
    - [ ] Does `gradlew build` run cleanly?
    
    - [ ] Have you written or updated unit tests to verify your changes?
    
    - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
    
    ### Note:
    Please ensure that once the PR is submitted, you check travis-ci for build issues and
    submit an update to your PR as soon as possible. If you need help, please send an
    email to dev@geode.apache.org.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/YehEmily/geode GEODE-1958-v3

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/geode/pull/578.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #578
    
----
commit 2f08e08fa7fec127324ee47a338d331bf059bbf6
Author: YehEmily <em...@gmail.com>
Date:   2017-06-12T18:42:15Z

    GEODE-1958: Working on removing PasswordUtil and all related commands, classes, etc. Keeping decrypt() method to maintain backwards compatibility.

----


> Remove PasswordUtil 
> --------------------
>
>                 Key: GEODE-1958
>                 URL: https://issues.apache.org/jira/browse/GEODE-1958
>             Project: Geode
>          Issue Type: Bug
>          Components: security
>            Reporter: Diane Hardman
>            Assignee: Emily Yeh
>            Priority: Minor
>
> PasswordUtil was used to encrypt a password to be stored in cache.xml. This was not secure since anyone could copy the "encrypted" string to another cache.xml to gain access. Therefore this utility was not particularly useful and should be removed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)