[#11696] - Default password encryption is reversable

Category:
Enhancement request
Priority:
Normal
Status:
New
Project: Severity:
Critical
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

Hi,

My security team just pointed out that this software is defaulting to DES encryption for passwords, which is reversible. I added a comment to the following wiki page because I'm not comfortable just throwing spring security algorithms on our server unless its been tested. I'm wondering if you would take a look at improving default security by implementing spring security BCrypt, PDKDF2, or SCrypt?

Also is the professional edition also using DES password encryption?

https://community.jaspersoft.com/wiki/setting-password-encryption-algori...

Thanks,

Chris Clausen
Development Services
University of Victoria
cclausen@uvic.ca

v6.4.3
Authentication
cclausen's picture
Joined: Feb 22 2018 - 12:43pm
Last seen: 1 month 2 days ago

1 Comment:

#1

Have you looked at the following comment in webapps/jasperserver/WEB-INF/applicationContext-security.xml

> Alternatively, you may download one of the reputable providers such as Bouncy Castle (ships in JRS).
You would need to add the Bouncy Castle provider to %JAVA_HOME%\jre\lib\security\java.security file
as a line security.provider.<seq number>=org.bouncycastle.jce.provider.BouncyCastleProvider

Feedback
randomness