Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: Trunk
    • Fix Version/s: 17.12.01, 16.11.05
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      When OFBIZ-4983 was implemented I missed that we put the login.secret_key_string as a property in security properties. This should not have been because it eases attackers work.

      The recommended way is to have it as a private static final String that can be changed just when compiling using sed and uuidgen. So then the key is temporay and final and it gets quite harder for a possible attacker to use this mean.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jacques.le.roux Jacques Le Roux
                Reporter:
                jacques.le.roux Jacques Le Roux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: