|
| Re: Access unhashed value of password field [message #1732202 is a reply to message #1732173] |
Fri, 13 May 2016 11:53   |
 Ed Merks
Messages: 33142
Registered: July 2009 |
Senior Member |
|
|
Johannes,
Comments below.
On 13.05.2016 11:13, Johannes Dorn wrote:
> Our Oomph setup requires the user to enter a username and password
> which is then used as part of URLs, e.g. to configure a Code
> Recommenders model repository like this:
> http://username:password@xxxxxxxx/models.
And this site doesn't support https with proper prompting for username
and password?
>
> This allows us to offer password protected URLs without the user
> needing to input the password more than once.
The ECFURIHandler for example does this prompting and saves the password
so it's only prompted once.
>
> We would like the input field during the Oomph setup to mask the input
> with '*'. When using the variable task with the type PASSWORD, we
> cannot access the value in the clear to put into the URL. We can only
> access the hashed value. Thus, we are forced to use a normal STRING
> variable.
>
> Is it possible to access the unhashed/original value of a PASSWORD
> variable?
I suppose we could provide something like that, but it seems very
insecure. We've gone to significant lengths to avoid even having the
clear text password in the stack for a significant period of time. For
example, such passwords are needed by MylynBuildTask as well, so it's
used like this:
public boolean isNeeded(SetupTaskContext context) throws Exception
{
IBuildServer server = getServer();
if (server == null)
{
return true;
}
if (isAuthenticate())
{
UserCredentials credentials =
server.getLocation().getCredentials(AuthenticationType.REPOSITORY);
if (credentials == null ||
!ObjectUtil.equals(credentials.getPassword(),
PreferencesUtil.decrypt(getPassword())))
{
return true;
}
}
return !getMissingBuildPlans(server).isEmpty();
}
I'm not sure how the model repository is configure. What task is
involved? If it's your own specialized task, best you look at how
other tasks deal with this. I.e., best you have PreferencesUtil.decrypt
in your code than that we have a filter that does this...
Ed Merks
Professional Support: https://www.macromodeling.com/
|
|
|
|
| Re: Access unhashed value of password field [message #1732277 is a reply to message #1732217] |
Sat, 14 May 2016 12:28 |
Ed Merks
Messages: 33142
Registered: July 2009 |
Senior Member |
|
|
Johannes,
I'm really quite uncomfortable with allowing a password to be stored and
passed around as a clear text value. If you're going to use a password
in this way, but the user is under the impression that it's masked,
because the entry field masks it but later on that password appears in
various files in clear text form, I think that's a bad thing for the
user. For Oomph to encourage that as a valid usage pattern will then
reflect poorly on Oomph. I could use such a feature to do sneaky
things. For example, I could create a resource copy task that uses a
URI that points at a server that I control, and in the URI includes
segments with the clear text value value of ${eclipse.user.password) and
${git.user.id}. My server could then gather this information.
It just feels wrong. If the password will be used and stored in clear
text form (i.e., it will appear in a log, or stored as a normal
preference) then it's not secure and the user should not be given the
impression that it will be secure...
On 13.05.2016 15:38, Johannes Dorn wrote:
> Thanks for your reply, Ed.
>
> The basic use case for this would be when the user of the password
> doesn't have access to the secure storage.
> One use case would be to set the system property java.net.socks.password.
> Another such case (ours) is the Recommenders model repository, where
> the URL (including the password) is stored in the preferences.
>
> I am well aware that this is not good behavior from a security
> standpoint, but apparently convenience is a priority for this setup.
Ed Merks
Professional Support: https://www.macromodeling.com/
|
|
|
Powered by
FUDForum. Page generated in 0.02830 seconds
] 
Search
Help
Register
Login
Home
