Authentication - clear text password storage in client FirstSpirit applications

Dear FirstSpirit community,

the FirstSpirit Admin password is currently used to execute privileged changes in FirstSpirit projects. Up to now, it is not possible to retrieve the Admin password directly from the FirstSpirit backend system - due to security reasons.

The consequence: the Admin password has to be stored in clear-text in

- FirstSpirit project settings

- FirstSpirit module configurations

- FirstSpirit scripts (BeanShell/Executable class)

- FirstSpirit 3rd party applications (e.g. Web Services, etc.)

With an increasing number of projects and applications, the effort to change the Admin password does grow. Because, each single password location of the password has to be identified and changed separately.

The feature request: an optimized authentication process that allows a centralized authentication administration without storing passwords in clients directly. E.g. based on:

- certificate based

- providing privileged authentication credentials directly in the JavaClient program (compared to web browsers, where public keys are stored as well)

3 Comments
Andreas-Knoor
Crownpeak Employee
Crownpeak Employee

@ king

Could you please specify the common "project chances" (using the Admin account) that are necessary in your scenario?

king
I'm new here

The common things that will be lead to project changes are:

- switching FirstSpirit groups for users

- adding new FirstSpirit groups

- adding FirstSpirit users to a FirstSpirit project

- adding new languages to FirstSpirit projects directly in the JavaClient

- execute workflow actions with privileged rights (removal of hung workflows)

kohlbrecher
Crownpeak employee
Crownpeak employee

Hello Holger,

since FirstSpirit 5.2R16 passwords are encoded and since 5.2R19 they can be requested via API.

Best regards

Jan