New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encode passwords stored in the database for mail, proxy servers, harvesters and map servers. #1715
Encode passwords stored in the database for mail, proxy servers, harvesters and map servers. #1715
Conversation
…esters and map servers.
@fxprunayre I did a previous PR to develop and removed to do it for 3.2.1 adding your suggestions. Please check if looks fine and integrate it if so, thanks. |
encrypterPassword = RandomStringUtils.randomAlphanumeric(10); | ||
|
||
conf.setProperty("encrypter.password", encrypterPassword); | ||
conf.save(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In some case, the webapp folder is readonly. Will this work in such case ? Should we add the capability to (or even move by default) the config file to the data dir ? (same applies for jdbc.properties)
@@ -168,6 +168,7 @@ | |||
</entry> | |||
<entry key="3.2.1"> | |||
<list> | |||
<value>java:v321.UpdateEncryptedSettings</value> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
3.2.1 is released. Should move to 3.2.2
|
||
# Password encrypter for passwords stored in database | ||
encrypter.algorithm=PBEWithMD5AndDES | ||
encrypter.password=default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add those properties to main pom.xml properties in order to be able to build a webapp with a known encrypter values. If not, we will have to manually update the webapp to replace the "default" by the value generated. Having the config-sec.properties file outside the webapp would also help moving from one version to a new one.
@josegar74 are you still working on this? Should we migrate it to a newer version of GeoNetwork? |
This pull request allows to encrypt the passwords used for mail, proxy, harvesters and map servers that are stored in the database.
When the passwords are retrieved from the database are unencrypted, the code using them requires no changes.
For the encryption/decryption of the passwords is used the library [jasypt(http://www.jasypt.org/).
The configuration for the encrypter is stored in the file
WEB-INF/config-security/config-security.properties
:When GeoNetwork starts up, if
encrypter.password
has the valuedefault
it's generated a random key that replaces the valuedefault
.Migration to newer versions
When GeoNetwork is migrated to a newer version, the encrypter password defined in
WEB-INF/config-security/config-security.properties
should be copied to the new installation, otherwise will not be possible to decrypt the existing passwords.