Bug 516

Summary: Password visible in Properties view
Product: [Identity Manager] Identity Designer Reporter: Tim Pew <tpew>
Component: ModelerAssignee: Will Peterson <wpeterson>
Status: VERIFIED FIXED QA Contact: Tim Pew <tpew>
Severity: Critical    
Priority: P2 - High Keywords: Built, Provo
Version: 1.0.0 Designer   
Target Milestone: 1.0 M2   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Integration Test Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Tim Pew 2004-12-09 23:40:23 UTC 
DETAILED DESCRIPTION:  In the modeler, add an identity vault and edit the
properties. Add a host name, username, and password and click OK to save the
values. Select the Identity Vault in the modeler and look in the Properties View
and you can see the password value in clear text!

This brings up the question of how that password is stored in Designer. It might
be better to simply prompt for the password whenever it is needed rather than
store the password in Designer.

BUILD NUMBER: 0909 integration build 8
Oses/CONFIG: Win2KPro
STEPS TO REPRO: 
RESULTS:
EXPECTED: 
WORKAROUNDS: 
CUSTOMER IMPACT:
Comment 1 Tim Pew 2004-12-09 23:41:29 UTC 
wpeterson (  12/8/2004 3:17:17 PM  Fixing - Fix Is Checked-In ) I added encode /
decode functionality to the identity vault password
 
bstreet (  12/3/2004 9:48:14 AM  Fixing - Approved for Investigation ) Will- 
The storage of a password obfuscated is yours to handle in the model right. 
tpew (  11/30/2004 2:03:17 PM  Fixing - Failed ) The password is hidden now, but
there's still the other part of the issue around storing an eDir password in a
project.
 
bstreet (  9/13/2004 5:42:06 PM  Fixing - Approved for Investigation ) We need
to always prompt for passwords when accessing a directory or prompt for a
password  when you login to designer.  We need to store the passwords encrypted
as well 
tpew (  9/13/2004 11:08:47 AM  Fixing - Failed ) Nothing has changed in the M1
build. Why was this assigned back to me?
 
tpew (  9/10/2004 10:46:04 AM  Fixing - Info/Resources Required ) Here's my
concern: If we store the username AND password in Designer, then anyone who gets
on the machine has access to the directory. It's very shaky security if the user
can automatically login without proving who they are. I'm not suggesting that we
force a re-enter of passwords everywhere, but they should have to enter it once
and then we can use that authenticated session until Designer is closed or the
session times out.
 
llowry (  9/8/2004 3:15:35 PM  Fixing - Approved for Investigation ) In the
future, the password will be encypted in the Project View.  It's too much burden
to force a re-entering of passwords everywhere.
 
bstreet (  9/8/2004 12:18:38 PM  Fixing - New ) We applied for an ECR for M1 and
told the export people that post-m1 we would be determining a way to encrypt
passwords.  This is post M1.
Comment 2 Tim Pew 2004-12-10 00:00:45 UTC 
Transferred from Remedy DEFECT000382748.
Status when transferred: Fixing/Fix Is Checked-In
Comment 3 Bill Street 2004-12-10 00:14:30 UTC 
This defect has been checked in.
Comment 4 Howard Vanfleet 2005-01-04 01:43:44 UTC 
Included in Designer build 20050103
Comment 5 Howard Vanfleet 2005-01-05 00:22:32 UTC 
Included in Designer build 20050104
Comment 6 Howard Vanfleet 2005-01-07 17:52:39 UTC 
Included in Designer build 20050107
Comment 7 Howard Vanfleet 2005-01-11 21:01:53 UTC 
Included in Designer build 20050111
Comment 8 Howard Vanfleet 2005-01-12 23:33:12 UTC 
Included in build 20050112
Comment 9 Howard Vanfleet 2005-01-13 23:46:00 UTC 
Included in build 20050113
Comment 10 Howard Vanfleet 2005-01-14 22:09:44 UTC 
Included in Designer build 20050114
Comment 11 Howard Vanfleet 2005-01-19 23:45:05 UTC 
Included in Designer build 20050119
Comment 12 Howard Vanfleet 2005-01-22 00:55:24 UTC 
Included in designer build 20050121
Comment 13 Howard Vanfleet 2005-01-25 00:36:28 UTC 
Included in Designer build 20050124
Comment 14 Howard Vanfleet 2005-01-25 22:03:11 UTC 
Included in Designer build 20050125
Comment 15 Howard Vanfleet 2005-02-01 23:50:20 UTC 
Included in the Designer build 20050201
Comment 16 Howard Vanfleet 2005-02-07 17:05:12 UTC 
Included in Designer build 20050207
Comment 17 Bill Street 2005-09-16 21:31:49 UTC 
Adding built keyword.
Comment 18 Bill Street 2007-04-30 16:37:06 UTC 
Marking closed/resolved fixed bugs public view.
Comment 19 Bill Street 2007-04-30 16:39:35 UTC 
Marking closed/resolved fixed bugs public view.