Whilst going through the source for JasperReports Server 4.2.1 Community Edition, I noticed that the key for storing passwords is in the configuration -- it doesn't seem like it's dynamic (i.e. set at install). This means that the key (which should be secret) appears to be in all the downloads of JasperReports Server 4.2.1, and is common across all installs. If I'm right, it would mean that any one who has access to the JasperServer database would have easy access to all of the passwords in that database (e.g. through SQL injection of the JasperServer web interface, poorly configured database security settings, database password leak etc.). While I understand that this is necessary for the JDBC connections, I think it is a little worrisome for user's passwords. I think it would be better to allow users to easily set their key, or have one randomly generated at install time (and store it outside of the database, e.g. a file on disk) and have their passwords encrypted with that new key. I have already sent an email to the support address, but got back what appeared to be mostly marketting. If someone more in the know could confirm or deny this, I'd be grateful. - Tinned_Tuna
