You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2014/10/06 11:21:33 UTC
[jira] [Commented] (JSPWIKI-205) Obfuscate on disk content type
[ https://issues.apache.org/jira/browse/JSPWIKI-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160129#comment-14160129 ]
Glen Mazza commented on JSPWIKI-205:
------------------------------------
Hi David, your patch is hardcoding a salt value (apparently used in the encryption) if one not provided by the user:
salt = TextUtil.getStringProperty(cryptoProperties,PROP_CRYPTO_SALT, "Ra%$ESSQA#!@)#$@)");
Wouldn't it be better to throw an exception if the salt is unprovided--halting JSPWiki from running if necessary--rather than rely on a salt value that is publicly known? If one wants encryption, a salt value must be provided, that doesn't seem unreasonable.
> Obfuscate on disk content type
> ------------------------------
>
> Key: JSPWIKI-205
> URL: https://issues.apache.org/jira/browse/JSPWIKI-205
> Project: JSPWiki
> Issue Type: Improvement
> Components: Core & storage
> Reporter: Chris Lialios
> Priority: Trivial
> Attachments: BasicOverview.doc, EncryptingProviderSource.zip, encryption.patch, encryption.patch, encryption.patch, encryption.patch
>
>
> We would like to store passwords within the wiki pages.
> Securing the page is trivial, however the contents on disk remain clear text.
> It would be very nice to have a page type that could be stored in an obfuscated form on disk.
> As an addition have a secondary password to display/edit the encrypted contents on disk for those who do not want to use wiki security on the page.
> I suspect this will have potentially drastic effects on the revisions process, but it would be a small price to pay for security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)