I agree that it should be possible to use all Synapse features without having to store cleartext passwords in the config files (and without having them appear in log files).
Just some random ideas about this topic: * Indika implemented a mechanism for exactly this, but for the moment this is limited to data sources. There is some documentation about this feature, but it is somewhat hidden in the Sample Setup guide. We should have this documentation in a more prominent place. Maybe as a subsection in the new Deployment guide? * As an alternative to usernames and passwords encoded in URLs, Commons VFS supports authentication by passing a org.apache.commons.vfs.UserAuthenticator object to the file system provider. Maybe we should define a property in the message context to allow to pass such an object to the transport. Alternatively we could write an adapter so that we can handle e.g. HTTPS and VFS authentication in the same way. * We should then have a mediator that builds the UserAuthenticator using the password encryption mechanisms implemented by Indika. Any thoughts? Andreas On Thu, Apr 2, 2009 at 00:34, Kim Horn <[email protected]> wrote: > It may, we are given simple text passwords by systems we have to > interface too. FTP is still the largest B2B mechanism in the US :-). We > cannot ask them to supply us anything else but a simple > username/password; this is the reality of B2B. The only issue we have > is that these are not kept in clear text in script files. In our domain > this is illegal and in all other domains bad practise. So all we > require is to be able to have these encrypted in any script files. I > think this Jira suggests a stronger mechanism, sharing keys between SFTP > servers, but is totally impractical in real world B2B. > > > Kim > > -----Original Message----- > From: Asankha Perera [mailto:[email protected]] On Behalf Of > Asankha C. Perera > Sent: Thursday, 2 April 2009 3:48 AM > To: [email protected] > Subject: Re: Can VFS SFTP Passwords be encrypted > > Hi Jay / Kim >> A suggestion. SFTP can use PKI shared keys for authentication. The > keys are host+user specific. >> >> I am not familiar enough with Synapse to know exactly how you'd go > about it, but I do suggest that the answer lies in using PKI. >> > I guess https://issues.apache.org/jira/browse/SYNAPSE-507 is a proper > solution for this.. and possibly we could already tweak VFS to do this.. > > cheers > asankhaa > > -- > Asankha C. Perera > AdroitLogic, http://adroitlogic.org > > http://esbmagic.blogspot.com > > > > >
