I am migrating customer password which encoded with sha1. I write a custom encoder and successfully I can migrate. After migrating, I want that when customer changes their password, also changes the encoding to hybris default encoding, but still use the custom encoder. How can I handle this?
You can extend DefaultCustomerAccountService changePassword method for setting new encoding. UserModel already has PasswordEncoding attribute. When changePassword method call by somewhere, check usermodel encoding and call setPassword method with new encoding. This method already set new encoding to usermodel.
If you are planning to use custom encoding you can develop your own with PasswordEncoder interface.
Related
I'm trying to implement a custom credential-store (with custom CredentialStoreSpi implementation) to integrate with data-sources through credential-reference.
The idea is to use a vault service with rotating passwords, and, for now, when I start WildFly, it calls CredentialStoreSpi.retrieve() and initializes data-source with current password, but if I flush data-source and request a new connection there are no calls to .retrieve(). And if I rotate password, then, it fails to create connection with username/password error, and still do not call for a new password.
Looking in specs I see that data-source connection security has a config to some "Reauth Plugin Class Name", but I can't find any clues on what is that.
There is any way to change this behavior and force that any new connection should require password directly from credential-store?
Found this spec: https://docs.wildfly.org/20/wildscribe/subsystem/datasources/data-source/ExampleDS/index.html#attr-reauth-plugin-class-name
reauth-plugin-class-name The fully qualified class name of the reauthentication plugin implementation
Looking at web but find no documentation on this.
Anyone knows what is that? Could it help in this use case?
if the credential store is updated externally you have to do a reload of that credential store. Maybe calling the retrieve method or reloading the credential store in the server at a certain intervals might make sense
In my app there is a place where the user can enter in some sensitive information. I'm using a NSSecureTextField for that.
However, NSSecureTextField just uses a plain String to store its contents. This poses an issue because I would like to destroy that String instance, but that is impossible because strings are immutable.
When the user finishes typing his password, there would probably be 10+ instances of that password in memory.
Is there any way to somehow have a more secure method of entering text?
I have a file on my server(linux) with a key (something like: asdfadsfadsf) inside, this key changes all 2 hours. Is there a secure way to pull that key from my server, to use it in my swift application? The key is not really that secret and no one could do bad thing with it.. But I would like how to deal with that.
Encode it on the server and Decode it in the application?
Thanks in advance
Just implement an API in the server for the app to call and get the content(e.g. your key) whenever the app or the logic needs.
The key is not really that secret and no one could do bad thing with it.
Then a HTTPS API call is more then enough.
Encode it on the server and Decode it in the application?
If it is a plain key and not that secure like you mentioned. Encoding and decoding are probably not needed.
I have some sensitive information (my database username/password and cookie encryption key) in my config file for my Dancer application that I would rather not be shown as plain text in case someone does gain access to it. What's the best way to encrypt the file so it's not just text? Or is there a more secure approach that makes more sense than encryption (like restricting file permissions)?
Because you can't encrypt the config, as in the comment above says #ThisSuitIsBlackNot, but sometmes is good to hide passwords (e.g. hide the passowrds form some co-workers who doesn't knows perl - but has access to config files)
I'm using an combination of
security by obscurity
and fooling
In my config files are passwords in encrypted form, and looks like as instructions for configuration. If someone grabs/reads only the config file - get nothing usable.
Usually I'm using something like the next:
db.password: enter some safe password here such De4w.Quafy3yq
and in the code i exracting the "De4w.Quafy3yq" part and using rot13 or crypt etc... get the real passwd: "Qr4j.Dhnsl3ld". Or using the mh5 hash of a string as a password, or similar - simple algorithms.
It is simple, and effective against non-programmers - of course, isn't helps when someone knows perl and grabs the code too.
EDIT
Because seems (downvotes) than here are still some people who didn't understand what this mean, THIS ISN'T ANY REAL SECURITY. It is an nice (funny) method (of course unsecure - read again, it isn't mean any real security) how to hide the password form coworkers, who didn't knows perl. DON'T USE IT for any real password protection. OMG...
Is there a way to password protect the SQL Lite db core data uses for it's persistent store? I want to make the DB available via iTunes but I want to be password protected so only I can open it.
CoreData doesnt have any built in password protection so you are going to have to roll your own encryption or obfuscation mechanism.
Alternatives could be obscure mechanisms (press the invisible button three times?) to send the file by email for returning the data-store to you rather than exposing the Documents folder in iTunes.
I guess the question is there a genuine need for password protection (i.e personal/medical records) or is this just the usual Corporate paranoia. If its the latter I wouldn't put too much effort in. IMHO.