I’m using an ArcSDE DataStore configured in the catalog.xml. My project has a requirement not to store plaintext passwords to the file system and so the GeoServer install is failing our security scans.
Are there any plans to encrypt the password attributes that are stored to GeoServer config files?
One implementation could be to provide a pluggable Java Factory pattern kind of impl for an encrypt class and use it to encrypt the value for all connection parameters named “password” in the XMLConfigWriter.java class. In this case, the XMLConfigWriter could use a special attribute called “encryptedValue” instead of “value”. The XMLConfigReader.java class could then be changed to handle this attrib using the same Java Factory pattern impl provided encrypt class to decrypt it. This would allow the password to be bootstrapped as the XMLConfigReader could still accept a plaintext password if it is set via the “value” attrib but thereafter it would encrypted in the file system when the configuration is saved.
Is there a better method to deal with this plaintext password issue already in the works?
Thanks,
Mike
Michael L. Runnals
Software Engineer
Northrop Grumman
12350 Jefferson Ave.
Newport News, VA 23602
757.249.1234 ex 385
There's no current plans in the work to encrypt password attributes, but we'd happily take a clean patch. Your solution sounds like it would work. And though I think this is the first explicit request for this feature I do think it's one others might like, and would happily put it in the core.
best regards,
Chris
Runnals, Mike wrote:
I'm using an ArcSDE DataStore configured in the catalog.xml. My project has a requirement not to store plaintext passwords to the file system and so the GeoServer install is failing our security scans.
Are there any plans to encrypt the password attributes that are stored to GeoServer config files?
One implementation could be to provide a pluggable Java Factory pattern kind of impl for an encrypt class and use it to encrypt the value for all connection parameters named "password" in the XMLConfigWriter.java class. In this case, the XMLConfigWriter could use a special attribute called "encryptedValue" instead of "value". The XMLConfigReader.java class could then be changed to handle this attrib using the same Java Factory pattern impl provided encrypt class to decrypt it. This would allow the password to be bootstrapped as the XMLConfigReader could still accept a plaintext password if it is set via the "value" attrib but thereafter it would encrypted in the file system when the configuration is saved.
Is there a better method to deal with this plaintext password issue already in the works?
Thanks,
Mike
Michael L. Runnals
Software Engineer
Northrop Grumman
12350 Jefferson Ave.
Newport News, VA 23602
757.249.1234 ex 385
!DSPAM:1003,4581891d79261116498154!
------------------------------------------------------------------------
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
!DSPAM:1003,4581891d79261116498154!
------------------------------------------------------------------------
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
!DSPAM:1003,4581891d79261116498154!
--
Chris Holmes
The Open Planning Project
http://topp.openplans.org