Encode passwords stored in the database for mail, proxy servers, harvesters and map servers.

[josegar74]

This pull request allows to encrypt the passwords used for mail, proxy, harvesters and map servers that are stored in the database.

When the passwords are retrieved from the database are unencrypted, the code using them requires no changes.

For the encryption/decryption of the passwords is used the library [jasypt(http://www.jasypt.org/).

The configuration for the encrypter is stored in the file WEB-INF/config-security/config-security.properties:

    # Password encrypter for passwords stored in database
    encrypter.algorithm=PBEWithMD5AndDES
    encrypter.password=default

When GeoNetwork starts up, if encrypter.password has the value default it's generated a random key that replaces the value default.

Migration to newer versions

When GeoNetwork is migrated to a newer version, the encrypter password defined in WEB-INF/config-security/config-security.properties should be copied to the new installation, otherwise will not be possible to decrypt the existing passwords.

[josegar74]

@fxprunayre I did a previous PR to develop and removed to do it for 3.2.1 adding your suggestions. Please check if looks fine and integrate it if so, thanks.

[fxprunayre]

In some case, the webapp folder is readonly. Will this work in such case ? Should we add the capability to (or even move by default) the config file to the data dir ? (same applies for jdbc.properties)

[fxprunayre]

3.2.1 is released. Should move to 3.2.2

[fxprunayre]

I would add those properties to main pom.xml properties in order to be able to build a webapp with a known encrypter values. If not, we will have to manually update the webapp to replace the "default" by the value generated. Having the config-sec.properties file outside the webapp would also help moving from one version to a new one.

[Delawen]

@josegar74 are you still working on this? Should we migrate it to a newer version of GeoNetwork?