Feature #2206
use encoded passwords for _User table data import
0%
History
#1 Updated by Eric Faulhaber over 10 years ago
Currently, we have a special data import requirement for applications which use the _User
metadata table: the deployer must provide a pwds.txt
file containing the user IDs and clear-text passwords along with the *.d dump files. This is to get around the current limitation in P2J of an incompatible hash algorithm for the 4GL ENCODE feature.
The storage of user passwords in a clear text format, even if temporary, is a security concern.
If we do not ultimately provide a compatible ENCODE implementation, we will need customers to modify their applications to intercept logins (or perhaps provide a special-purpose login), to accept the users' passwords and hash them using the P2J ENCODE implementation. These hashed passwords would then be stored (possibly in a special-purpose database table), and eventually would be saved off into a text format, like in pwds.txt
.
Data import will have to be adjusted to skip the encoding step if password data is provided pre-encoded. The decision whether or not to encode during import would be governed either by some special configuration or perhaps something as simple as a different password text file name.
#2 Updated by Eric Faulhaber about 8 years ago
- Status changed from New to Rejected
We have since implemented a backward-compatible ENCODE function, so this issue is moot.
#3 Updated by Greg Shah over 7 years ago
- Target version changed from Deployment and Management Improvements to Deployment and Management Improvements