This issue has been created
There is 1 update, 1 comment.
 
 
XWiki Platform / cid:jira-generated-image-avatar-a4ba6f8d-af7f-4027-9c91-b4b7a781df79 XWIKI-22257 Open

Hash the superadmin password
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-b3cdebac-a628-48e0-94c9-da0bc8130b8f Guillaume Delhumeau created this issue on 12/Jun/24 16:59
 
Summary: Hash the superadmin password
Issue Type: cid:jira-generated-image-avatar-a4ba6f8d-af7f-4027-9c91-b4b7a781df79 Improvement
Assignee: Unassigned
Components: Old Core
Created: 12/Jun/24 16:59
Priority: cid:jira-generated-image-static-major-b52407b2-a80a-42dd-ae60-7a86d9870ddd Major
Reporter: Guillaume Delhumeau
Description:

It would allow to enable the superadmin user with an obfuscated password in the configuration file.
 
 

1 update

 
cid:jira-generated-image-avatar-b4332d97-26e7-438d-960a-3db7913959f4 Changes by Vincent Massol on 12/Jun/24 17:03
 
Labels: security
 
 

1 comment

 
cid:jira-generated-image-avatar-44fdb911-7a44-4fc4-be2d-40be74319b65 Michael Hamann on 12/Jun/24 17:04
 

Superadmin is meant to be a last resort to recover your XWiki installation, not as something that should always be active. It seems quite difficult for a user to obtain a valid salted hash which is what should be used for proper security. So if we implement this, it should be optional, meaning that plain text passwords should still be supported to still allow the intended use case of superadmin, which is to recover a messed-up XWiki installation.
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.