Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-20921

Legacy documentation recommends insecure credential handling (SecureIdentityLoginModule, PBEUtils)

XMLWordPrintable

    • Hide

      1. Visit legacy documentation examples (e.g. developer.jboss.org/…/originalcontent.txt).
      2. Review SecureIdentityLoginModule and JaasSecurityDomainIdentityLoginModule usage.
      3. Observe that they recommend weak or hard-coded password handling without warnings.

      Show
      1. Visit legacy documentation examples (e.g. developer.jboss.org/…/originalcontent.txt). 2. Review SecureIdentityLoginModule and JaasSecurityDomainIdentityLoginModule usage. 3. Observe that they recommend weak or hard-coded password handling without warnings.
    • Documentation (Ref Guide, User Guide, etc.)
    • ---
    • ---

      While reviewing legacy documentation/examples still publicly available, I found that some WildFly/JBoss guides reference insecure practices for datasource password management:

       

      • org.jboss.resource.security.SecureIdentityLoginModule relies on a hard-coded master password, meaning encrypted datasource passwords can be trivially recovered.
      • JaasSecurityDomainIdentityLoginModule with PBEUtils also demonstrates outdated password-based encryption methods that no longer provide adequate security.

       

              Unassigned Unassigned
              beafn28 Beatriz Fresno Naumova (Inactive)
              Beatriz Fresno Naumova Beatriz Fresno Naumova (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:

                  Estimated:
                  Original Estimate - 1 hour
                  1h
                  Remaining:
                  Remaining Estimate - 1 hour
                  1h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified