Add ability to encrypt properties so they are encrypted in the db and do not appear in the admin console.
Description
Environment
Attachments
duplicates
Activity
Greg Thomas June 7, 2016 at 9:59 AM
I've just raised a question about this new functionality at https://community.igniterealtime.org/message/258105 - is/should be the recording of the property in security.xml be reflected across all nodes in the cluster?
Tom Evans April 10, 2014 at 2:40 AM
OK - I saw your commit, and I agree that conf/security.xml should be treated as a configuration file in the various distributions. Apologies for missing that step, and thanks for picking me up on that one.
Daryl Herzmann April 9, 2014 at 3:03 PM
Tom, FYI, I had to send an additional patch in so that the RPM build understood that the security.xml file was marked as a config file. I wonder if other distro builds are also impacted by this.
Tom Evans April 3, 2014 at 1:57 AM
Implemented; pending review/feedback
Tom Evans April 3, 2014 at 12:44 AM
OK I am ready with an implementation of this feature and would like to have some feedback on my approach. The key addition is a new XML file (security.xml) that we will use to keep track of the encryption settings along with a list of encrypted properties. I have attached the file here as it also contains the main documentation for the new feature set.
There are numerous properties used in OF to store passwords. The current strategy simply omits displaying the text in the admin console when the property matches a regular expression. Some existing passwords don't actually match this expression now (the PKI truststore and keystore passwords for instance).
Adding to the regular expression is a stop gap measure that is difficult to maintain as it requires code changes to adapt to new names. It also means the actual passwords are still stored as clear text in the db.
I think a better approach is to add an option to encrypt any property, which will automatically store it encoded. This would work for any existing password or any future one, whether it is an Openfire defined one or a custom property for a plugin.