Encryption of Oracle connection passwords in mapfiles
Fernando Simon
fsimon at UNIVALI.BR
Fri Mar 17 15:05:37 EST 2006
Hi all,
It's a good idea store a encrypted password for Oracle, but I
believe that this feature can be used for all databases (PostGIS,
Oracle, SDE, Mysql).
The point that Steve wrote can be a problem because many times we
use more that one database in a single mapfile. The actual approach
that I use (Oracle and PostGIS) is create a specific user that just
have select grant and use it in my mapfile connecion.
Best regrads.
Fernando Simon
Citando Stephen Woodbridge <woodbri at SWOODBRIDGE.COM>:
> Another alternative would be to have apache set the credentials
> into
> environment variables for the mapserver process, and then have
> mapserver
> check for the existence of the environment variables and if they
> exist
> then they would override any values that might be in the mapfile.
>
> I guess this doesn't work too well if every mapfile needs different
>
> credentials. I guess this could be worked around with substitution
>
> strings like:
>
> @ORA_USER_1@ @ORA_PASS_1@
> @ORA_USER_2@ @OAR_PASS_2@
> etc
>
> I used '@' to refer to the environment instead of '%' that refers
> to the
> CGI parameters. The actual strings between the @...@ could be
> anything
> unique in the environment and mod_env in apache would handle
> setting the
> values.
>
> -Steve W.
>
> Daniel Morissette wrote:
> > We have a need to encrypt (or protect somehow) the Oracle
> connection
> > passwords in map files to avoid having them as plain text. I will
> look
> > into this some more and write a RFC, but before getting too far I
> wanted
> > to gather feedback, in case anyone already had their own ideas on
> this.
> >
> > What I'm thinking of doing is creating a utility to encrypt a
> password,
> > that the developer would then copy/paste into the connection
> string in
> > the mapfile, possibly with some special delimiter to indicate
> that it's
> > encrypted. MapServer would decrypt the password internally and
> use the
> > decrypted password for the connection.
> >
> > Unfortunately this requires the use of reversible encryption
> which is
> > not really that safe, especially when the decryption function is
> open
> > source, but at least makes it harder to figure the password than
> just
> > using plain text.
> >
> > I would also like to setup a mechanism that will work for all
> other DB
> > CONNECTIONs so I am interested in comments from all the DB
> connection
> > maintainers.
> >
> > Daniel
>
-------------------------------------------------
Univali - Webmail - http://webmail.univali.br
More information about the mapserver-dev
mailing list