Ian and me decided to open a thread on the developers list concerning
https://jira.codehaus.org/browse/GEOS-4702
https://jira.codehaus.org/browse/GEOS-4554
Each issue has a patch, unfortunately they are overlapping.
Ians patch has two major topics
a) Digesting passwords in the user.properties file
b) Encrypting passwords for geoserver stores
add a)
The user.properties file and the GeoserverUserDao are replaced by UserGroupServices and GrantedAuthorityServices by my patch. It will be possible to have more than one backend for users/groups. At the moment I deferred password digesting since I am investigating into authentication manager / authentication providers supporting CAS,proxy authentication,password authentication and so on. Not every user has to be authenticated by userid/password, nor has the user information to be stored within a geoserver backend implementation.
add b)
This topic is unique to Ians patch. Some comments
1)
I would use this concept for the master key
http://www.jasypt.org/webconfiguration.html
The default should be the GeoserverExtensiosns.getProperty mechanism, but it would be nice to have the possibility to inject the master key using Spring.
2)
I would prefer a md5/aes 128 encryption as default and would avoid DES which is not state of the art and could be broken by brute force today (only 56 Bit key length).
3) Perhaps, there should be a possibility to turn this feature off after turning it on, not sure here.
Proposal:
Ian, do you see a possibility to reduce your patch to the encrpytion (PBE) feature. At the moment we cannot apply both patches simultaneously and I want a situation where we can continue work independently.
Opinions ?
Cheers
Christian
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.