You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/04/14 19:21:59 UTC
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
Hello Marco,
Thanks for your wonderful work in this area.
I truly appreciate your efforts.
Here are few thoughts / comments :
1) We are saving password as it is.
https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
I think we should encrypt the password before saving it to database and
will not show the password as it is while fetching it from database.
Thoughts ?
+1, using what we already use (also SHA that should be salted at some point in the future)
2) We should change the name of service in the service definition and
implementation.
For example you have used "updateGatewayConfiguration" instead of this
if we use "updatePaymentGatewayConfig" then it will help developers to
easily see the referenced entity.
Same applies to other references like
updateGatewayConfigurationPayflowPro,
updateGatewayConfigurationClearCommerce .... etc.
3) We should change request map entries to follow the best practice as
well.
For ex : ViewGatewayConfigurationType, ViewGatewayConfiguration can be
changed EditPaymentGatewayConfigType & EditPaymentGatewayConfig
respectively.
I am requesting you to change this now (Refer #3 & #4 points) because
newcomers start coding and can take reference of this code.
+1
Jacques
4) Do you have some some plan to provide the form and services to create
new "PaymentGatewayConfig" & "PaymentGatewayConfigType" records ?
--
Ashish Vijaywargiya
mrisaliti@apache.org wrote:
> Author: mrisaliti
> Date: Thu Apr 9 19:45:31 2009
> New Revision: 763782
>
> URL: http://svn.apache.org/viewvc?rev=763782&view=rev
> Log:
> Move payment.properties to PaymentGatewayConfig entities (OFBIZ-2269)
>
> Added:
> ofbiz/trunk/applications/accounting/script/org/ofbiz/accounting/payment/PaymentGatewayConfigServices.xml (with props)
> ofbiz/trunk/applications/accounting/servicedef/services_paymentgateway.xml (with props)
> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigurationsForms.xml (with props)
> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigurationsScreens.xml (with props)
> ofbiz/trunk/applications/product/webapp/catalog/WEB-INF/actions/store/EditProductStorePaySetup.groovy (with props)
> Modified:
> ofbiz/trunk/applications/accounting/config/AccountingUiLabels.xml
> ofbiz/trunk/applications/accounting/data/AccountingTypeData.xml
> ofbiz/trunk/applications/accounting/entitydef/entitymodel.xml
> ofbiz/trunk/applications/accounting/ofbiz-component.xml
> ofbiz/trunk/applications/accounting/servicedef/services_paymentmethod.xml
> ofbiz/trunk/applications/accounting/src/org/ofbiz/accounting/payment/PaymentGatewayServices.java
> ofbiz/trunk/applications/accounting/webapp/accounting/WEB-INF/controller.xml
> ofbiz/trunk/applications/accounting/widget/Menus.xml
> ofbiz/trunk/applications/product/config/ProductUiLabels.xml
> ofbiz/trunk/applications/product/entitydef/entitymodel.xml
> ofbiz/trunk/applications/product/servicedef/services_store.xml
> ofbiz/trunk/applications/product/webapp/catalog/store/ProductStoreForms.xml
> ofbiz/trunk/applications/product/widget/catalog/StoreScreens.xml
> ofbiz/trunk/specialpurpose/ecommerce/data/DemoFinAccount.xml
> ofbiz/trunk/specialpurpose/ecommerce/data/DemoProduct.xml
> ofbiz/trunk/specialpurpose/ecommerce/data/DemoRentalProduct.xml
> ofbiz/trunk/specialpurpose/ecommerce/data/DemoStoreGiftCertificateSettings.xml
> ofbiz/trunk/specialpurpose/pos/data/DemoRetail.xml
> ofbiz/trunk/specialpurpose/webpos/data/DemoPosData.xml
>
> Modified: ofbiz/trunk/applications/accounting/config/AccountingUiLabels.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/config/AccountingUiLabels.xml?rev=763782&r1=763781&r2=763782&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/accounting/config/AccountingUiLabels.xml (original)
> +++ ofbiz/trunk/applications/accounting/config/AccountingUiLabels.xml Thu Apr 9 19:45:31 2009
> @@ -5474,6 +5474,30 @@
> <value xml:lang="th">à ¸£à ¸²à ¸¢à ¸Âà ¸²à ¸£à ¸ªà ¸Â-à ¸²à ¸ÂTà ¸°à ¸Âà ¸¥à ¸¸à ¹Â^à ¸¡Ã
> ¸Âoà ¸¹à ¹Â?à ¹Âfà ¸ÂSà ¹Â?</value>
> <value xml:lang="zh">ä¼ÂsÃ¥Â'Â~è§Â'èÂ?²åÂ^Â-表</value>
> </property>
> + <property key="AccountingPayflowProLoggingOff">
> + <value xml:lang="en">Logging Off</value>
> + <value xml:lang="it">Log disabilitato</value>
> + </property>
>
>
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/
applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/
applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by Ashish Vijaywargiya <as...@hotwaxmedia.com>.
>> Hello Marco,
>> Thanks for your wonderful work in this area.
>> I truly appreciate your efforts.
In my initial email I have given thanks to Marco ... and he deserve for
that.
I think you have missed that .... may be due to your super fast working
style ;0).
I had given thanks to you and David because you guys have shared your
thoughts on my comment.
Thanks once again Marco, Jacques & David ! (I guess now the order of
included person in this line solves our purpose :-) )
--
Ashish
Jacques Le Roux wrote:
> Actualluy we should better thank Marco! ;o)
>
> Jacques
>
>
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Actualluy we should better thank Marco! ;o)
Jacques
From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
> Thanks Jacques & David.
>
> --
> Ashish
>
> Jacques Le Roux wrote:
>> Thanks for the clarification David
>>
>> Jacques
>>
>> From: "David E Jones" <da...@hotwaxmedia.com>
>>> On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
>>>
>>>> From: "David E Jones" <da...@hotwaxmedia.com>
>>>>> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
>>>>>
>>>>>> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
>>>>>> Hello Marco,
>>>>>>
>>>>>> Thanks for your wonderful work in this area.
>>>>>> I truly appreciate your efforts.
>>>>>>
>>>>>> Here are few thoughts / comments :
>>>>>>
>>>>>> 1) We are saving password as it is.
>>>>>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
>>>>>>
>>>>>> I think we should encrypt the password before saving it to
>>>>>> database and
>>>>>> will not show the password as it is while fetching it from database.
>>>>>> Thoughts ?
>>>>>>
>>>>>> +1, using what we already use (also SHA that should be salted at
>>>>>> some point in the future)
>>>>>
>>>>> These are all good changes, so thanks to Jacques and especially
>>>>> Ashish for the comments.
>>>>>
>>>>> For the gateway password encryption we'll want to use the Entity
>>>>> Engine's built-in two-way encryption. We can't use SHA/hash
>>>>> encryption because we have to be able to decrypt these passwords
>>>>> to send them to the payment gateway (ie they would never accept a
>>>>> hashed form of the password, that is a big security hole and
>>>>> basically nullifies most of the benefit of the hash, which is why
>>>>> by default we don't allow that in OFBiz either).
>>>>>
>>>>> -David
>>>>
>>>> Hi David,
>>>>
>>>> I understand that we need a 2 ways encryption for a payment gateway.
>>>> But about SHA I'm not quite sure to understand. SHA means Secure
>>>> Hash Algorithm, so why do you add /ash after SHA ?
>>>> I know we use SHA for login password, so I'm no sure of what you
>>>> mean. Do you mean that we should not use salted SHA in OFBiz at all ?
>>>
>>> SHA is a hash algorithm, but there are other hash algorithms and
>>> that is why I wrote "SHA/hash".
>>>
>>> My main point is that a normal password hash algorithm is not
>>> relevant here as it can't be used when 2-way encryption is needed,
>>> that's all.
>>>
>>> -David
>>>
>>
>
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/
applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/
applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by Ashish Vijaywargiya <as...@hotwaxmedia.com>.
Thanks Jacques & David.
--
Ashish
Jacques Le Roux wrote:
> Thanks for the clarification David
>
> Jacques
>
> From: "David E Jones" <da...@hotwaxmedia.com>
>> On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
>>
>>> From: "David E Jones" <da...@hotwaxmedia.com>
>>>> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
>>>>
>>>>> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
>>>>> Hello Marco,
>>>>>
>>>>> Thanks for your wonderful work in this area.
>>>>> I truly appreciate your efforts.
>>>>>
>>>>> Here are few thoughts / comments :
>>>>>
>>>>> 1) We are saving password as it is.
>>>>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
>>>>>
>>>>> I think we should encrypt the password before saving it to
>>>>> database and
>>>>> will not show the password as it is while fetching it from database.
>>>>> Thoughts ?
>>>>>
>>>>> +1, using what we already use (also SHA that should be salted at
>>>>> some point in the future)
>>>>
>>>> These are all good changes, so thanks to Jacques and especially
>>>> Ashish for the comments.
>>>>
>>>> For the gateway password encryption we'll want to use the Entity
>>>> Engine's built-in two-way encryption. We can't use SHA/hash
>>>> encryption because we have to be able to decrypt these passwords
>>>> to send them to the payment gateway (ie they would never accept a
>>>> hashed form of the password, that is a big security hole and
>>>> basically nullifies most of the benefit of the hash, which is why
>>>> by default we don't allow that in OFBiz either).
>>>>
>>>> -David
>>>
>>> Hi David,
>>>
>>> I understand that we need a 2 ways encryption for a payment gateway.
>>> But about SHA I'm not quite sure to understand. SHA means Secure
>>> Hash Algorithm, so why do you add /ash after SHA ?
>>> I know we use SHA for login password, so I'm no sure of what you
>>> mean. Do you mean that we should not use salted SHA in OFBiz at all ?
>>
>> SHA is a hash algorithm, but there are other hash algorithms and
>> that is why I wrote "SHA/hash".
>>
>> My main point is that a normal password hash algorithm is not
>> relevant here as it can't be used when 2-way encryption is needed,
>> that's all.
>>
>> -David
>>
>
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks for the clarification David
Jacques
From: "David E Jones" <da...@hotwaxmedia.com>
> On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
>
>> From: "David E Jones" <da...@hotwaxmedia.com>
>>> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
>>>
>>>> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
>>>> Hello Marco,
>>>>
>>>> Thanks for your wonderful work in this area.
>>>> I truly appreciate your efforts.
>>>>
>>>> Here are few thoughts / comments :
>>>>
>>>> 1) We are saving password as it is.
>>>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
>>>> I think we should encrypt the password before saving it to
>>>> database and
>>>> will not show the password as it is while fetching it from database.
>>>> Thoughts ?
>>>>
>>>> +1, using what we already use (also SHA that should be salted at
>>>> some point in the future)
>>>
>>> These are all good changes, so thanks to Jacques and especially
>>> Ashish for the comments.
>>>
>>> For the gateway password encryption we'll want to use the Entity
>>> Engine's built-in two-way encryption. We can't use SHA/hash
>>> encryption because we have to be able to decrypt these passwords
>>> to send them to the payment gateway (ie they would never accept a
>>> hashed form of the password, that is a big security hole and
>>> basically nullifies most of the benefit of the hash, which is why
>>> by default we don't allow that in OFBiz either).
>>>
>>> -David
>>
>> Hi David,
>>
>> I understand that we need a 2 ways encryption for a payment gateway.
>> But about SHA I'm not quite sure to understand. SHA means Secure
>> Hash Algorithm, so why do you add /ash after SHA ?
>> I know we use SHA for login password, so I'm no sure of what you
>> mean. Do you mean that we should not use salted SHA in OFBiz at all ?
>
> SHA is a hash algorithm, but there are other hash algorithms and that
> is why I wrote "SHA/hash".
>
> My main point is that a normal password hash algorithm is not relevant
> here as it can't be used when 2-way encryption is needed, that's all.
>
> -David
>
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by David E Jones <da...@hotwaxmedia.com>.
On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote:
> From: "David E Jones" <da...@hotwaxmedia.com>
>> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
>>
>>> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
>>> Hello Marco,
>>>
>>> Thanks for your wonderful work in this area.
>>> I truly appreciate your efforts.
>>>
>>> Here are few thoughts / comments :
>>>
>>> 1) We are saving password as it is.
>>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
>>> I think we should encrypt the password before saving it to
>>> database and
>>> will not show the password as it is while fetching it from database.
>>> Thoughts ?
>>>
>>> +1, using what we already use (also SHA that should be salted at
>>> some point in the future)
>>
>> These are all good changes, so thanks to Jacques and especially
>> Ashish for the comments.
>>
>> For the gateway password encryption we'll want to use the Entity
>> Engine's built-in two-way encryption. We can't use SHA/hash
>> encryption because we have to be able to decrypt these passwords
>> to send them to the payment gateway (ie they would never accept a
>> hashed form of the password, that is a big security hole and
>> basically nullifies most of the benefit of the hash, which is why
>> by default we don't allow that in OFBiz either).
>>
>> -David
>
> Hi David,
>
> I understand that we need a 2 ways encryption for a payment gateway.
> But about SHA I'm not quite sure to understand. SHA means Secure
> Hash Algorithm, so why do you add /ash after SHA ?
> I know we use SHA for login password, so I'm no sure of what you
> mean. Do you mean that we should not use salted SHA in OFBiz at all ?
SHA is a hash algorithm, but there are other hash algorithms and that
is why I wrote "SHA/hash".
My main point is that a normal password hash algorithm is not relevant
here as it can't be used when 2-way encryption is needed, that's all.
-David
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "David E Jones" <da...@hotwaxmedia.com>
> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
>
>> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
>> Hello Marco,
>>
>> Thanks for your wonderful work in this area.
>> I truly appreciate your efforts.
>>
>> Here are few thoughts / comments :
>>
>> 1) We are saving password as it is.
>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
>> I think we should encrypt the password before saving it to database and
>> will not show the password as it is while fetching it from database.
>> Thoughts ?
>>
>> +1, using what we already use (also SHA that should be salted at some point in the future)
>
> These are all good changes, so thanks to Jacques and especially Ashish for the comments.
>
> For the gateway password encryption we'll want to use the Entity Engine's built-in two-way encryption. We can't use SHA/hash
> encryption because we have to be able to decrypt these passwords to send them to the payment gateway (ie they would never accept
> a hashed form of the password, that is a big security hole and basically nullifies most of the benefit of the hash, which is why
> by default we don't allow that in OFBiz either).
>
> -David
Hi David,
I understand that we need a 2 ways encryption for a payment gateway.
But about SHA I'm not quite sure to understand. SHA means Secure Hash Algorithm, so why do you add /ash after SHA ?
I know we use SHA for login password, so I'm no sure of what you mean. Do you mean that we should not use salted SHA in OFBiz at
all ?
Jacques
Re: svn commit: r763782 [1/2] - in /ofbiz/trunk: applications/accounting/ applications/accounting/config/ applications/accounting/data/ applications/accounting/entitydef/ applications/accounting/script/org/ofbiz/accounting/payment/ applications/accounting/
Posted by David E Jones <da...@hotwaxmedia.com>.
On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
> From: "Ashish Vijaywargiya" <as...@hotwaxmedia.com>
> Hello Marco,
>
> Thanks for your wonderful work in this area.
> I truly appreciate your efforts.
>
> Here are few thoughts / comments :
>
> 1) We are saving password as it is.
> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
> I think we should encrypt the password before saving it to database
> and
> will not show the password as it is while fetching it from database.
> Thoughts ?
>
> +1, using what we already use (also SHA that should be salted at
> some point in the future)
These are all good changes, so thanks to Jacques and especially Ashish
for the comments.
For the gateway password encryption we'll want to use the Entity
Engine's built-in two-way encryption. We can't use SHA/hash encryption
because we have to be able to decrypt these passwords to send them to
the payment gateway (ie they would never accept a hashed form of the
password, that is a big security hole and basically nullifies most of
the benefit of the hash, which is why by default we don't allow that
in OFBiz either).
-David