manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <>
Subject Re: override properties.xml file
Date Wed, 15 Oct 2014 11:35:25 GMT
Hi Jitu,

I strongly suggest you still create a ticket and attach patches so that we
can agree on the right approach.

Please have a look at
.  In there you will see two things: first, the code that looks up
dbsuperusername and dbsuperuserpassword in order to create the database
instance, and second, encryption code used for import and export of
ManifoldCF configuration.

I had intended to add a property method called "getPropertyObfuscated"
which would use the ManifoldCF deobfuscate() method to retrieve an
obfuscated form of the property.  For example, if the property was
"org.apache.manifoldcf.dbsuperuserpassword", the method would first look
for "org.apache.manifoldcf.dbsuperuserpasswordobfuscated" and if found
would deobfuscate the results.  Only if not found would it look at
"org.apache.manifoldcf.dbsuperuserpassword".  I still intend to make this
change in MCF 2.0 and 1.8, regardless of what you wind up doing in the end.

FWIW, it is possible (and indeed I have been considering) replacing the
current homegrown Obfuscate/Deobfuscate code with a real encryption
algorithm.  I would urge you to consider doing it that way rather than
inventing something wholly new.  The Java cipher framework allows you to
register custom ciphers if that is what clients demand.  (The import and
export uses AES.)  The only complication with this approach is that
somewhere we'd need an encryption key, which would probably wind up being
placed in properties.xml as well, or maybe buried in code.  So you don't
buy any real security this way, just protection from having someone see the
password over one's shoulder.


On Wed, Oct 15, 2014 at 3:41 AM, Jitu <> wrote:

> Hi Karl,
>          i would like to work on this bug.
> Thanks,
> Jitu
> On Wed, Oct 15, 2014 at 12:53 PM, Jitu <> wrote:
>> Thanks Karl. That would be great. For now that helps. But in future, is
>> it possible to provide a way to inject custom encryption algorithm. some
>> clients want custom encryption algorithm for all their sensitive
>> information.
>> Thanks,
>> Jitu
>> On Wed, Oct 15, 2014 at 11:48 AM, Karl Wright <> wrote:
>>> Hi Jitu,
>>> Obfuscating the password in the properties.xml file is not hard to
>>> implement but has not been requested before.  Please create a ticket, and
>>> I'll look at implementing this sometime in the next couple of weeks.
>>> Thanks,
>>> Karl
>>> On Wed, Oct 15, 2014 at 1:30 AM, Jitu <> wrote:
>>>> Hi Karl,
>>>> Thanks for your continued support. Thanks to all who contributed for
>>>> Manifoldcf 1.7.1 release.
>>>> I have a requirement where our client does not want to store database
>>>> password in plain text rather they want to store it in ecrypted in
>>>> properties.xml file.
>>>> Thanks,
>>>> Jitu

View raw message