You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Bart van der Schans (JIRA)" <ji...@apache.org> on 2011/08/08 17:10:27 UTC

[jira] [Commented] (JCR-2697) Add support for encrpted db password in repository.xml

    [ https://issues.apache.org/jira/browse/JCR-2697?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13080991#comment-13080991 ] 

Bart van der Schans commented on JCR-2697:
------------------------------------------

Hi Jukka,

It could be that I'm missing something completely, but how is encoding the same as encryption? It doesn't make sense to me to use base64 encoding for storing passwords as you can just decode them. I don't think there's any (easy) way to decrypt an encrypted password and use it for the db connection in a really secure way. Maybe you can try to obfuscate a pre-shared key in the java code and use that to decrypt the encrypted password. That would at least make it much harder to decipher the password but certainly not impossible.

Another option might be to just ask for the password on startup which is often the case with ssl certificates in httpd, but it makes restarting much more a hassle. You can automate most of that though, for example with scripts that remotely login over ssh, except when a server comes up after a reboot.

Regards,
Bart

> Add support for encrpted db password in repository.xml
> ------------------------------------------------------
>
>                 Key: JCR-2697
>                 URL: https://issues.apache.org/jira/browse/JCR-2697
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: config
>    Affects Versions: 2.1.0
>            Reporter: Jervis Liu
>            Assignee: Jukka Zitting
>            Priority: Critical
>             Fix For: 2.3.0
>
>
> Basically this is same to the issue https://issues.apache.org/jira/browse/JCR-2673. I can not reopen JCR-2673, so I filed a new one instead. 
> The reason for this jira is because for a lot of companies it is not allowed to store password in a clear text. 
> Sorry, I dont know how this can be implemented yet. But I hope at least the requirement is clear. 
> Thanks.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira