On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote:
From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
Hello Marco,
Thanks for your wonderful work in this area.
I truly appreciate your efforts.
Here are few thoughts / comments :
1) We are saving password as it is.
https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG
I think we should encrypt the password before saving it to database
and
will not show the password as it is while fetching it from database.
Thoughts ?
+1, using what we already use (also SHA that should be salted at
some point in the future)
These are all good changes, so thanks to Jacques and especially Ashish
for the comments.
For the gateway password encryption we'll want to use the Entity
Engine's built-in two-way encryption. We can't use SHA/hash encryption
because we have to be able to decrypt these passwords to send them to
the payment gateway (ie they would never accept a hashed form of the
password, that is a big security hole and basically nullifies most of
the benefit of the hash, which is why by default we don't allow that
in OFBiz either).
-David