swingman wrote:What about adding a checkbox in Servoy Server Admin to store passwords encrypted instead of as clear text?
alb wrote:In many scenarios division of administrative function is one of the key tenets of security and audit in a government scenario. Why wouldnt it be possible for the servoy.properties to be encrypted and decrypted with the java keystore that servoy already uses? Then the keystore could be setup by the information administrator (ie the person with legal access to the data) and the password on the keystore (which is not stored in plain text) would prevent browsing by non-authorised admins? I setup the keystore on a server last night and it took me about 5 minutes.
Just a thought.
If plain text is not a problem why does no other app/OS store it that way? Why not just store the passwords for the entire server in plain text? After all only the really trustworthy admin will ever see them so what could be the problem? I think you need to get a little more paranoid (or maybe I am too paranoid).
I'm going to follow up with our security advisor and Defence Signals and will post back to this list when I get an answer. (and accept with good grace if I am wrong).
Al.
jaleman wrote:To store those passwords secure there are only two really secure possibilities: one is to key in the passwords everytime you fire up your servoy application and the second to make sure your file is in a secure location. The first one is not very convenient and the latter one is what we already support.
Jan Blok wrote:In the property file we now encrypt the values for the keys containing the string "password" with keystore keys (can be default SSL one)
2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - driver=com.sybase.jdbc2.jdbc.SybDriver@d0570e
2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - url=jdbc:sybase:Tds:localhost:2638?ServiceName=servoy_repository&CHARSET=utf8
2006-09-06 10:16:21,937 DEBUG [TaskExecuter[0]] com.servoy.j2db.util.Debug - connectionProperties={user=DBA, password=SQL}
Users browsing this forum: No registered users and 1 guest