Re: [xwiki-devs] A problem of secret with jobs

Hi Denis, Well in my case the (current, for a Password field) flow would be: a- XObject save or update : Browser ---save---> Server, password in clear in save request b- XObject storage in DB : value encrypted as it's a password field ? I didn't check that, right now I don't know c- Later, use of the password (Server side) for a connection : retrieve password from DB (now, in clear anyway in a Java object), do some logging (issue initially described), connect to the system with user/password, done For a- clearly I have no option unless using some javascript to do some encryption at this stage. To be honest it doesn't trouble me much, but if it were I would go for HTTPS... For b- not only would I need to encrypt the password, but I must be able to do that before the XObject is actually saved by xwiki. I suppose I could register some events to manage pre-creation or pre-update encryption (maybe it's the same thing btw) For b- and c- question is of course of using your nice Crypto API, but also where to store the secret. Both sides being the same (xwiki server), I think it has little meaning to use something else than a symmetric cipher with a secret key stored somewhere, but I'm open to proposals. Regards, Jeremie. 2014-02-26 10:47 GMT+01:00 Denis Gervalle <dgl(a)softec.lu>lu>: