Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » BIRT » BIRT reports security issue with database password (odaPassword)(Database Password (odaPassword) unencrypted)
BIRT reports security issue with database password (odaPassword) [message #777901] Wed, 11 January 2012 06:06 Go to next message
Daniel V is currently offline Daniel V
Messages: 2
Registered: July 2009
Junior Member
Hello,

I have remarked that my database password appear not-encrypted into the report file under the design section.

<design:DataSetParameters>
<design:parameterDefinitions>
<design:inOutMode>In</design:inOutMode>
<design:attributes>
...
</design:attributes>
<design:inputAttributes>
<design:elementAttributes>
<design:optional>false</design:optional>
<design:masksValue>false</design:masksValue>
<design:dynamicValueChoices>
<design:dataSetDesign>
<design:name>Agents</design:name>
<design:odaExtensionDataSetId>org.eclipse.birt.report.data.oda.jdbc.JdbcSelectDataSet</design:odaExtensionDataSetId>
<design:dataSourceDesign>
<design:name>vsl</design:name>
<design:odaExtensionId>org.eclipse.birt.report.data.oda.jdbc</design:odaExtensionId>
<design:publicProperties>
<design:properties>
<design:nameValue>
<design:name>odaDriverClass</design:name>
<design:value>org.postgresql.Driver</design:value>
</design:nameValue>
</design:properties>
<design:properties>
<design:nameValue>
<design:name>odaURL</design:name>
<design:value>jdbc:postgresql://localhost/db</design:value>
</design:nameValue>
</design:properties>
<design:properties>
<design:nameValue>
<design:name>odaUser</design:name>
<design:value>postgres</design:value>
</design:nameValue>
</design:properties>
<design:properties>
<design:nameValue>
<design:name>odaPassword</design:name>
<design:value>CLEAR_PASSWORD</design:value>
</design:nameValue>


-The value of the parameter odaPassword is not encrypted!

Just to note that the database password is encrypted for the data-source definition :
<property name="odaDriverClass">org.postgresql.Driver</property>
<property name="odaURL">jdbc:postgresql://localhost/db</property>
<property name="odaUser">postgres</property>
<encrypted-property name="odaPassword" encryptionID="base64">ENCRYPTED_PASSWORD</encrypted-property>


Any help is very appreciated.
Thanks in advance.

Cheers

PS: I'm using BIRT 2.5.2
Re: BIRT reports security issue with database password (odaPassword) [message #778401 is a reply to message #777901] Wed, 11 January 2012 17:38 Go to previous messageGo to next message
Jason Weathersby is currently offline Jason Weathersby
Messages: 9167
Registered: July 2009
Senior Member

I believe in later versions this has been fixed. If you switch to the
xml view and delete the designer values, does it re-write them?

Jason

On 1/11/2012 1:06 AM, Daniel Mising name wrote:
> Hello,
>
> I have remarked that my database password appear not-encrypted into the
> report file under the design section.
>
> <design:DataSetParameters>
> <design:parameterDefinitions>
> <design:inOutMode>In</design:inOutMode>
> <design:attributes>
> ...
> </design:attributes>
> <design:inputAttributes>
> <design:elementAttributes>
> <design:optional>false</design:optional>
> <design:masksValue>false</design:masksValue>
> <design:dynamicValueChoices>
> <design:dataSetDesign>
> <design:name>Agents</design:name>
> <design:odaExtensionDataSetId>org.eclipse.birt.report.data.oda.jdbc.JdbcSelectDataSet</design:odaExtensionDataSetId>
>
> <design:dataSourceDesign>
> <design:name>vsl</design:name>
> <design:odaExtensionId>org.eclipse.birt.report.data.oda.jdbc</design:odaExtensionId>
>
> <design:publicProperties>
> <design:properties>
> <design:nameValue>
> <design:name>odaDriverClass</design:name>
> <design:value>org.postgresql.Driver</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaURL</design:name>
> <design:value>jdbc:postgresql://localhost/db</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaUser</design:name>
> <design:value>postgres</design:value>
> </design:nameValue>
> </design:properties>
> <design:properties>
> <design:nameValue>
> <design:name>odaPassword</design:name>
> <design:value>CLEAR_PASSWORD</design:value>
> </design:nameValue>
>
>
> -The value of the parameter odaPassword is not encrypted!
>
> Just to note that the database password is encrypted for the data-source
> definition :
> <property name="odaDriverClass">org.postgresql.Driver</property>
> <property name="odaURL">jdbc:postgresql://localhost/db</property>
> <property name="odaUser">postgres</property>
> <encrypted-property name="odaPassword"
> encryptionID="base64">ENCRYPTED_PASSWORD</encrypted-property>
>
>
> Any help is very appreciated.
> Thanks in advance.
>
> Cheers
> PS: I'm using BIRT 2.5.2
icon14.gif  Re: BIRT reports security issue with database password (odaPassword) [message #781054 is a reply to message #778401] Fri, 20 January 2012 08:56 Go to previous message
Daniel V is currently offline Daniel V
Messages: 2
Registered: July 2009
Junior Member
Hi Jason,

Thanks a lot Smile

I have only deleted the design value for the odaPassword parameter as you have suggested, so now it looks like this :

<design:name>odaPassword</design:name>
<design:value></design:value>

and the problem is SOLVED, the report still works as expected and the database password is not shown.

I have edited the .rptdesign file manually (with text editor) but even I have re-saved the report with the BIRT designer the password was not re-written.

Cheers





[Updated on: Fri, 20 January 2012 09:34]

Report message to a moderator

Previous Topic:Sum Elements in Grid
Next Topic:"Getting more records or rows with data which are not generated in Birt designer preview."
Goto Forum:
  


Current Time: Sat Oct 25 06:28:28 GMT 2014

Powered by FUDForum. Page generated in 0.13626 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software