[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033863#comment-14033863
]
Francesco Chicchiriccò commented on SYNCOPE-505:
------------------------------------------------
The logic for hashing the password value according to the relevant
configuration lays in DBTable connector's code, not Syncope's.
This means that normally Syncope passes the password as clear text (wrapped in
{{GuardedString}}) and then the connector will hash it according to the
configured algorithm before writing to the underlying db table.
We should find a way then to instruct the connector that the specific password
value we are passing is already hashed: unfortunately, connector configuration
properties are only evaluated when creating a connector instance, so they
cannot be changed on-the-fly.
BTW, writing out the password only if {{SyncopeUser#getCipherAlgorithm}}
matches the configured value for the DB Connector hash algorithm (e.g. the same
logic of SYNCOPE-313) seems correct to me.
> Support propagating non-cleartext passwords to external resources
> -----------------------------------------------------------------
>
> Key: SYNCOPE-505
> URL: https://issues.apache.org/jira/browse/SYNCOPE-505
> Project: Syncope
> Issue Type: Improvement
> Components: core
> Reporter: Francesco Chicchiriccò
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
> some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
> {{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
> values to external resources.
> This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
