RTC Restful API: How to encrypt password ?
Hi,
I´m creating some scripts in Perl that uses the RTC Restful API. I´m using this service to authenticate against RTC: https://myRtcServer:9443/jazz/authenticated/identity
My problem is that I don't want to send the password explicitly. Is it possible send an encrypted password instead?
I would appreciate your help.
Thanks,
|
2 answers
long as its over the https:// connection, all data is encrypted..
Comments
Leonardo Marzo
commented May 06 '13, 3:11 p.m.
Maybe I didn't explain it properly.
Kevin Ramer
commented May 06 '13, 3:31 p.m.
The thing is if users have access to read/execute the script (i.e by login to the machine that stores the script), they will also have access to any methodolody you embed into the logic of encoding/decoding the credentials.
scott herzinger
commented Oct 29 '13, 2:23 p.m.
We have the same need. Just posted my own question before seeing this one. It seems like a valid need, to manage authentication credentials securely, regardless of whether we're using REST directly, or through the CLI. The scm CLI implements the needed functionality, it's just that some of us would like to use it for our own tools and utilities.
|
As Kevin explained, everyone who has read/write access to the script could modify it to do whatever he likes, so hiding or encrypting the password is usually of limited use.
Still, if you want a script that is able to make authenticated REST-API calls without containing the password, there is actually to do this, albeit not elegantly.
Jazz usually tracks authenticated users via a cookie so that you do not have to send username and password with each request. If you use a secure script that takes care of authentication and then places the cookie data in a location where it can be read by your other scripts, you wouldn't need to include the password in all of your Perl scripts. Provided of course someone ran the authentication script first.
From a security standpoint this is not really a better solution, but it might work in your context. Keep in mind though, that anyone who has access to your Perl scripts would also be able to read your login cookie and do whatever they like as an authenticated user.
Hope that helps.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.