[
https://issues.apache.org/jira/browse/DELTASPIKE-382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13684641#comment-13684641
]
Gerhard Petracek edited comment on DELTASPIKE-382 at 6/16/13 1:04 PM:
----------------------------------------------------------------------
@mark:
so far i haven't said something about the spi (that would be a different
jira-ticket). i just don't agree with the out-of-the-box masking which actively
supports a questionable approach.
yes - depending on the use-case you might need to decrypt a password at some
point, but without code-reviews, security audits,... you have to trust your
developers anyway.
-> ensure security in a better way. there are enough tools >like<
https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin which do that
in a general fashion and not only within ds.
(this one for sure not for prod. - it's just an open example which shows that
you have to do it on a different level and not in a single ds-api. i can't ref.
closed examples like specific handlers which would be for sure more
appropriate.)
btw. using strong language doesn't make anything more accurate and i refuse
such a style in any discussion here.
was (Author: gpetracek):
@mark:
so far i haven't said something about the spi (that would be a different
jira-ticket). i just don't agree with the out-of-the-box masking which actively
supports a questionable approach.
yes - depending on the use-case you might need to decrypt a password at some
point, but without code-reviews, security audits,... you have to trust your
developers anyway.
-> ensure security in a better way. there are enough tools >like<
https://wiki.jenkins-ci.org/display/JENKINS/Mask+Passwords+Plugin which do that
in a general fashion and not only within ds.
btw. using strong language doesn't make anything more accurate and i refuse
such a style in any discussion here.
> mask out passwords and other credentials
> ----------------------------------------
>
> Key: DELTASPIKE-382
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-382
> Project: DeltaSpike
> Issue Type: New Feature
> Components: Configuration
> Affects Versions: 0.4
> Reporter: Mark Struberg
> Assignee: Mark Struberg
> Fix For: 0.5
>
>
> Our configuration mechanism currently logs all the configured values.
> This makes it hard to use it for passwords and stuff.
> I suggest we introduce some specific prefix property to configure configs
> which contain sensitive information.
> For the key 'some.random.password' this could look like:
> deltaspike_config.mask.some.random.password=true
> In the log we would in this case just output the information whether and
> where we did find some value, but not print the details for all configs which
> start with all of the configured masks.
> I'm not yet sure though how to configure this best. Suggestions appreciated!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
