To continue what I was saying before I somehow sent
the email... !
--- Matt Benson <[EMAIL PROTECTED]> wrote:
> --- [EMAIL PROTECTED] wrote:
>
> > stevel 2005/02/07 15:51:01
> >
> > Modified: docs/manual/CoreTasks signjar.html
> > Log:
> > This is actually a serious issue. if i have a
> > login on a machine, I can get the keystore
> password
> > by waiting for someone to sign a JAR on it. We can
> > fix this, either by running jarsigner in VM, or by
> > passing the input over stdio.
>
> I would opt for the latter. It should be as easy as
> using it for the input on the helper ExecTask,
> right?
> What I would actually do here is add an attribute to
RedirectorElement and Redirector to suppress the
logging of the input string. Seeing passwords echoed
is irritating to say the least, and it would be simple
enough to add this option for a modicum of--if not
security, then dignity, at least. Signjar could
configure a RedirectorElement internally to keep the
passed input hidden, and the same approach would be
available to users wanting to pass sensitive text into
an external process.
-Matt
__________________________________
Do you Yahoo!?
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
