[
https://issues.apache.org/jira/browse/OFBIZ-10047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294188#comment-16294188
]
James Yong commented on OFBIZ-10047:
------------------------------------
Thanks Jacques.
I have revised the original comments for "password is stored in clear.". Hope
it is clearer.
>From Tomcat point of view, the mutate method is meant to prevent the attacker
>from knowing the username doesn't exists by encrypting the input password. But
>if the passwords are stored as clear text in the database, it doesn't make
>sense to implement the mutate method.
Even though the mutate methods are implemented as it should behave, OFBiz
doesn't hide the fact that the username doesn't exist during the login process.
Maybe for business reasons?
> Tomcat SSO
> ----------
>
> Key: OFBIZ-10047
> URL: https://issues.apache.org/jira/browse/OFBIZ-10047
> Project: OFBiz
> Issue Type: Improvement
> Components: framework
> Affects Versions: Trunk
> Reporter: James Yong
> Assignee: James Yong
> Priority: Minor
> Attachments: OFBIZ-10047.patch, OFBIZ-10047.patch, OFBIZ-10047.patch,
> OFBIZ-10047.patch, OFBIZ-10047.patch
>
>
> Proposing Tomcat SSO to be used in OFBiz to improve on Single-Sign-On.
> This aim to fix the issues mentioned in OFBIZ-6963, OFBIZ-6994.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
