[OPENAM-9910] OpenAMSettingsImpl.java should not decode storepass. Created: 25/Oct/16 Updated: 01/Dec/16 Resolved: 01/Dec/16 |
|
| Status: | Closed |
| Project: | OpenAM |
| Component/s: | security |
| Affects Version/s: | 14.0.0 |
| Fix Version/s: | 14.0.0 |
| Type: | Bug | Priority: | Major |
| Reporter: | Warren Strange | Assignee: | Warren Strange |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | must-fix | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Rank: | 1|hzsehb: |
| QA Assignee: | Filip Kubáň [X] (Inactive) |
| Verified Version/s: |
| Description |
|
OpenAMSettingsImpl.java attempts to decode the storepass. In AM 14, storepass is no longer encrypted with the instance password. This will cause OAUth2 RSA key signing to fail. The biggest issue with this class is the getServerKeyPair method - which duplicates existing functionality in AMKeyProvider. The method should be changed to use AMKeyProvider - as the logic can be centralized in one place. Even if we elect to change the storepass to be encrypted, it should be done in one place. |
| Comments |
| Comment by Filip Kubáň [X] (Inactive) [ 01/Dec/16 ] |
|
Verified fix on: OpenAM 14.0.0-M7 Build eff0e96cfd (2016-November-25 16:23) |