[Geoserver-devel] Encrypted data store passwords and REST

If I try to get some information about a data store using REST, the response contains encrypted data store passwords.

Some snippets, executing

curl -v -u admin:geoserver -XGET
http://localhost:8080/geoserver/rest/workspaces/acme/datastores/nync.xml

results in

crypt1:pw5lO+WAt6nThMc1cywD3Q==
postgis

Even worse, doing the same REST call again, the encrypted password is different. (This is because we use a salt and the plain text password is encrypted for each REST call).

IMHO, I would expect the plain text password, the cipher text is quite useless.

Opinions ?

Cheers
Christian

On Fri, Mar 15, 2013 at 5:24 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

If I try to get some information about a data store using REST, the response contains encrypted data store passwords.

Some snippets, executing

curl -v -u admin:geoserver -XGET
http://localhost:8080/geoserver/rest/workspaces/acme/datastores/nync.xml

results in

crypt1:pw5lO+WAt6nThMc1cywD3Q==
postgis

Even worse, doing the same REST call again, the encrypted password is different. (This is because we use a salt and the plain text password is encrypted for each REST call).

IMHO, I would expect the plain text password, the cipher text is quite useless.

Opinions ?

I agree, returning the crypted password seems like a bug to me. These operations are
protected and only an admin can access them anyways.
Either that, or we should avoid returning the password at all…

Cheers
Andrea

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it