passwords in config files

From: Andrei Adamchik (aadamchi..obox.com)
Date: Tue May 15 2001 - 20:14:31 EDT


There is one thing that kind of bothers me with the current design of
cayenne configuration files. Database username and password are stored in
data node config *.xml file. I guess it was just simple copying of EOModel
behavior in WebObjects. Since we have anonymous CVS access, keeping config
files in CVS is a real security threat. (The same is true for the people
who might use our code)

So, following Andriy's suggestion, I am going to take password and username
out of node config files and instead put them in a special file in a user
home directory. Just like most of the UNIX tools do, we can create hidden
".cayenne_pass" file in the home directory, were all the nodes will be
listed with their logins and passwords. Like this:

[sybnode1]
username = dummy
password = dummy

[oranode2]
username = dummy
password = dummy

On UNIX this file may have "600" permissions, on Windows, I guess, its up
to the user to disable file sharing in his "C:\...whatever" directory. I do
not think this even need to be an XML file, just the format as above. Our
future deployment tools will take it into account, but the good thing is
that ".cayenne_pass" will be totally separate from the code or config files.

Any ideas, objections?

Andrei



This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 16:21:24 EDT