tinned_tuna Posted January 11, 2012 Share Posted January 11, 2012 Whilst going through the source for JasperReports Server 4.2.1 Community Edition, I noticed that the key for storing passwords is in the configuration -- it doesn't seem like it's dynamic (i.e. set at install). This means that the key (which should be secret) appears to be in all the downloads of JasperReports Server 4.2.1, and is common across all installs.If I'm right, it would mean that any one who has access to the JasperServer database would have easy access to all of the passwords in that database (e.g. through SQL injection of the JasperServer web interface, poorly configured database security settings, database password leak etc.).While I understand that this is necessary for the JDBC connections, I think it is a little worrisome for user's passwords. I think it would be better to allow users to easily set their key, or have one randomly generated at install time (and store it outside of the database, e.g. a file on disk) and have their passwords encrypted with that new key. I have already sent an email to the support address, but got back what appeared to be mostly marketting. If someone more in the know could confirm or deny this, I'd be grateful. - Tinned_Tuna Link to comment Share on other sites More sharing options...
Ching Ice-creaming Posted January 12, 2012 Share Posted January 12, 2012 JasperReports server has considered OSWAP standards.Please read chapter 10 of JasperReports-Server-CP-Install-Guide.pdf which is about PASSWORD ENCRYPTION. This is what you need. - Ching Link to comment Share on other sites More sharing options...
tinned_tuna Posted January 12, 2012 Author Share Posted January 12, 2012 Ah, thanks. Is there any way to make that documentation more prominent. I think it would be a good idea, from a security stand point, to generate a random salt when the server first boots. That way, people can't get caught out as easily. Link to comment Share on other sites More sharing options...
Ching Ice-creaming Posted January 12, 2012 Share Posted January 12, 2012 1. To make this documentation more prominent, you should ask Jaspersoft staff.2. Table 10.1 of JasperReports-Server-CP-Install-Guide.pdf has pointed out that password encryption in applicationContext-security.xml. To generate a random sercet key at every start up, you need to modify its startup script in order to substitute the value into applicationContext-security.xmlPost Edited by icecreaming at 01/13/2012 01:47 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now