1019990 – Password entered into installer is written to overlord-idp-users in plain text

Bug 1019990 - Password entered into installer is written to overlord-idp-users in plain text

Summary: Password entered into installer is written to overlord-idp-users in plain text

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Fuse Service Works 6
Classification:	JBoss
Component:	Installer
Sub Component:
Version:	6.0.0 GA
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	ER7
Target Release:	6.0.0
Assignee:	Thomas Hauser
QA Contact:	Jiri Pechanec
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-16 18:06 UTC by Len DiMaggio
Modified:	2014-02-06 15:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-06 15:26:45 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Len DiMaggio 2013-10-16 18:06:49 UTC

Description of problem:

standalone/configuration/overlord-idp-users.properties:admin=password1#


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Gary Brown 2013-10-17 08:00:32 UTC

I believe this will be resolved post-beta with the use of the vault.

Comment 2 Eric Wittmann 2013-10-29 13:18:20 UTC

This has been addressed by removing the overlord-idp-*.properties files.  The Overlord SSO IDP now uses the EAP application realm as its source for credentials rather than its own properties files.

The installer should change to reflect this reality.  I *think* the installer should be asking for two passwords:

1) the Management user
2) an Application user

The former is used to log into the EAP management console.

The latter is used to log into the FSW6 UI applications, including:

* BPEL console
* S-RAMP UI
* DTGov UI
* Gadget Web (rtgov UI)

The installer should change so that it prompts for the application user and then creates that user via "add-user.sh" or equivalent.

Handing this BZ over to thauser to complete the installer part.

Comment 4 Thomas Hauser 2013-11-14 14:48:30 UTC

These changes have been made for ER7.

Comment 5 Jiri Pechanec 2013-12-13 05:51:48 UTC

File removed in ER7

Note You need to log in before you can comment on or make changes to this bug.