| Category: | Enhancement request |
Priority: | Normal |
Status: | New |
| Project: | Severity: | Critical |
Resolution: | Open |
|
| Component: | Reproducibility: | Always |
Assigned to: |
Hi,
My security team just pointed out that this software is defaulting to DES encryption for passwords, which is reversible. I added a comment to the following wiki page because I'm not comfortable just throwing spring security algorithms on our server unless its been tested. I'm wondering if you would take a look at improving default security by implementing spring security BCrypt, PDKDF2, or SCrypt?
Also is the professional edition also using DES password encryption?
https://community.jaspersoft.com/wiki/setting-password-encryption-algori...
Thanks,
Chris Clausen
Development Services
University of Victoria
cclausen@uvic.ca
v6.4.3
Authentication
1 Comment:
Have you looked at the following comment in webapps/jasperserver/WEB-INF/applicationContext-security.xml
> Alternatively, you may download one of the reputable providers such as Bouncy Castle (ships in JRS).
You would need to add the Bouncy Castle provider to %JAVA_HOME%\jre\lib\security\java.security file
as a line security.provider.<seq number>=org.bouncycastle.jce.provider.BouncyCastleProvider