It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,875
×10,907
×476
×50
×18

question asked: May 06 '13, 12:29 p.m.
question was seen: 8,952 times
last updated: Oct 30 '13, 12:28 p.m.

Related questions

RTC Restful API: How to encrypt password ?

1
Leonardo Marzo (24964852) | asked May 06 '13, 12:29 p.m.
 Hi, 

I´m creating some scripts in Perl that uses the RTC Restful API. I´m using this service to authenticate against RTC: https://myRtcServer:9443/jazz/authenticated/identity

My problem is that I don't want to send the password explicitly. Is it possible send an encrypted password instead? 

I would appreciate your help. 


Thanks,

2 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
sam detweiler (12.5k6195201) | answered May 06 '13, 12:39 p.m.
long as its over the https:// connection, all data is encrypted..
Comments
Leonardo Marzo commented May 06 '13, 3:11 p.m.

Maybe I didn't explain it properly.

Currently, my password is 'harcoded' in the script, and many users have access to it. I was looking for something similar to how the JBE works, you provide a file with the encrypted password.

I though there was a way to send the password encrypted and the the RTC server decode it properly.

Kevin Ramer commented May 06 '13, 3:31 p.m.

The thing is if users have access to read/execute the script (i.e by login to the machine that stores the script), they will also have access to any methodolody you embed into the logic of encoding/decoding the credentials. 




scott herzinger commented Oct 29 '13, 2:23 p.m.

We have the same need. Just posted my own question before seeing this one. It seems like a valid need, to manage authentication credentials securely, regardless of whether we're using REST directly, or through the CLI.  The scm CLI implements the needed functionality, it's just that some of us would like to use it for our own tools and utilities.

0
permanent link
Oliver Siebenmarck (1111) | answered Oct 30 '13, 12:28 p.m.
As Kevin explained, everyone who has read/write access to the script could modify it to do whatever he likes, so hiding or encrypting the password is usually of limited use.

Still, if you want a script that is able to make authenticated REST-API calls without containing the password, there is actually to do this, albeit not elegantly.

Jazz usually tracks authenticated users via a cookie so that you do not have to send username and password with each request. If you use a secure script that takes care of authentication and then places the cookie data in a location where it can be read by your other scripts, you wouldn't need to include the password in all of your Perl scripts. Provided of course someone ran the authentication script first. 

From a security standpoint this is not really a better solution, but it might work in your context. Keep in mind though, that anyone who has access to your Perl scripts would also be able to read your login cookie and do whatever they like as an authenticated user.

Hope that helps.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.