You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2018/02/20 12:10:00 UTC
[jira] [Closed] (OFBIZ-9966) Secure the login.secret_key_string
[ https://issues.apache.org/jira/browse/OFBIZ-9966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-9966.
----------------------------------
Resolution: Won't Fix
Fix Version/s: 16.11.05
17.12.01
Nobody answered to my last message on dev ML. So I think nobody else cares about this and I can close as won't fix. I don't use not a problem, because for me it's not the best way and I explained why as much as I could.
Reverted in
trunk r1824855 (completes r1814392)
R17.2 r1824856 (completes r1814392)
R16.11 r1824857
> Secure the login.secret_key_string
> ----------------------------------
>
> Key: OFBIZ-9966
> URL: https://issues.apache.org/jira/browse/OFBIZ-9966
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 17.12.01, 16.11.05
>
>
> When OFBIZ-4983 was implemented I missed that we put the login.secret_key_string as a property in security properties. This should not have been because it eases attackers work.
> The recommended way is to have it as a private static final String that can be changed just when compiling using sed and uuidgen. So then the key is temporay and final and it gets quite harder for a possible attacker to use this mean.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)