Bug 1014456 - RTGov authentication config uses open-text passwords
Summary: RTGov authentication config uses open-text passwords
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Configuration
Version: 6.0.0 GA
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER7
: 6.0.0
Assignee: Julian Coleman
QA Contact: Jiri Pechanec
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-02 05:53 UTC by Jiri Pechanec
Modified: 2014-02-06 15:25 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The RTGov authentication stores passwords in clear text. The passwords should be encrypted or hashed. The defaults present a security risk to users.
Clone Of:
Environment:
Last Closed: 2014-02-06 15:25:39 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jiri Pechanec 2013-10-02 05:53:18 UTC 
The RTGov authentication based on property files stores passwords in open-text. The passwords should be encrypted/hashed.

overlord-idp-users.properties
#eric=eric
admin=JBoss.123

overlord-rtgov.properties for rtgc-only
RESTActivityServer.serverUsername=admin
RESTActivityServer.serverPassword=JBoss.123
Comment 1 Jiri Pechanec 2013-12-13 05:50:07 UTC 
overlord-idp-users.properties - remove ok
overlord-rtgov.properties - still contains opentext credentials
Comment 2 Len DiMaggio 2014-01-22 02:20:01 UTC 
Seeing this in CR1 - with an RTGov client only install:

grep -i password ./standalone/configuration/overlord-rtgov.properties

RESTActivityServer.serverPassword=${vault:VAULT::rtgov::serverPassword::1}
Note You need to log in before you can comment on or make changes to this bug.