I created one ticket which covers the basic mechanism, although not any obfuscation upgrades:

https://issues.apache.org/jira/browse/CONNECTORS-1075

Karl

On Wed, Oct 15, 2014 at 7:35 AM, Karl Wright <daddywri@gmail.com> wrote:
Hi Jitu,

I strongly suggest you still create a ticket and attach patches so that we can agree on the right approach.

Please have a look at framework/pull-agent/src/main/java/org/apache/manifoldcf/crawler/system/ManifoldCF.java .  In there you will see two things: first, the code that looks up dbsuperusername and dbsuperuserpassword in order to create the database instance, and second, encryption code used for import and export of ManifoldCF configuration.

I had intended to add a property method called "getPropertyObfuscated" which would use the ManifoldCF deobfuscate() method to retrieve an obfuscated form of the property.  For example, if the property was "org.apache.manifoldcf.dbsuperuserpassword", the method would first look for "org.apache.manifoldcf.dbsuperuserpasswordobfuscated" and if found would deobfuscate the results.  Only if not found would it look at "org.apache.manifoldcf.dbsuperuserpassword".  I still intend to make this change in MCF 2.0 and 1.8, regardless of what you wind up doing in the end.

FWIW, it is possible (and indeed I have been considering) replacing the current homegrown Obfuscate/Deobfuscate code with a real encryption algorithm.  I would urge you to consider doing it that way rather than inventing something wholly new.  The Java cipher framework allows you to register custom ciphers if that is what clients demand.  (The import and export uses AES.)  The only complication with this approach is that somewhere we'd need an encryption key, which would probably wind up being placed in properties.xml as well, or maybe buried in code.  So you don't buy any real security this way, just protection from having someone see the password over one's shoulder.

Karl


On Wed, Oct 15, 2014 at 3:41 AM, Jitu <abjitu@gmail.com> wrote:
Hi Karl,
         i would like to work on this bug.

Thanks,
Jitu

On Wed, Oct 15, 2014 at 12:53 PM, Jitu <abjitu@gmail.com> wrote:
Thanks Karl. That would be great. For now that helps. But in future, is it possible to provide a way to inject custom encryption algorithm. some clients want custom encryption algorithm for all their sensitive information.

Thanks,
Jitu

On Wed, Oct 15, 2014 at 11:48 AM, Karl Wright <daddywri@gmail.com> wrote:
Hi Jitu,

Obfuscating the password in the properties.xml file is not hard to implement but has not been requested before.  Please create a ticket, and I'll look at implementing this sometime in the next couple of weeks.

Thanks,
Karl


On Wed, Oct 15, 2014 at 1:30 AM, Jitu <abjitu@gmail.com> wrote:
Hi Karl,

Thanks for your continued support. Thanks to all who contributed for Manifoldcf 1.7.1 release.

I have a requirement where our client does not want to store database password in plain text rather they want to store it in ecrypted in properties.xml file.

Thanks,
Jitu