directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] Created: (DIRSERVER-772) Credentials in server.xml is read as byte[], and is visible
Date Sun, 05 Nov 2006 13:47:16 GMT
Credentials in server.xml is read as byte[], and is visible

                 Key: DIRSERVER-772
             Project: Directory ApacheDS
          Issue Type: Bug
            Reporter: Emmanuel Lecharny

The credentials declared in the server.xml files are read as a byte array during the server
initialization. Worst, it is visible to the mere mortal who has access to this file.
At this point, I don't think that storing a password in a configuration file is a good idea.
There should be a phase in installation where the password must be asked to the administrator,
and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the conversion from String
to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml
file's encoding. The piece of code that read the credential is :
        Object value = env.get( Context.SECURITY_CREDENTIALS );
        if ( value == null )
            credential = null;
        else if ( value instanceof String )
            credential = ( ( String ) value ).getBytes();

Here, we should have something like :
            credential = ( ( String ) value ).getBytes( "UTF-8" );

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message