[OPENAM-9910] OpenAMSettingsImpl.java should not decode storepass. Created: 25/Oct/16  Updated: 01/Dec/16  Resolved: 01/Dec/16

Status: Closed
Project: OpenAM
Component/s: security
Affects Version/s: 14.0.0
Fix Version/s: 14.0.0

Type: Bug Priority: Major
Reporter: Warren Strange Assignee: Warren Strange
Resolution: Fixed Votes: 0
Labels: must-fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzsehb:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:


OpenAMSettingsImpl.java attempts to decode the storepass. In AM 14, storepass is no longer encrypted with the instance password. This will cause OAUth2 RSA key signing to fail.

The biggest issue with this class is the getServerKeyPair method - which duplicates existing functionality in AMKeyProvider.

The method should be changed to use AMKeyProvider - as the logic can be centralized in one place. Even if we elect to change the storepass to be encrypted, it should be done in one place.

Comment by Filip Kubáň [X] (Inactive) [ 01/Dec/16 ]

Verified fix on: OpenAM 14.0.0-M7 Build eff0e96cfd (2016-November-25 16:23)

Generated at Mon Mar 01 10:54:34 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.