Authentication - clear text password storage in client FirstSpirit applications
Dear FirstSpirit community,
the FirstSpirit Admin password is currently used to execute privileged changes in FirstSpirit projects. Up to now, it is not possible to retrieve the Admin password directly from the FirstSpirit backend system - due to security reasons.
The consequence: the Admin password has to be stored in clear-text in
- FirstSpirit project settings
- FirstSpirit module configurations
- FirstSpirit scripts (BeanShell/Executable class)
- FirstSpirit 3rd party applications (e.g. Web Services, etc.)
With an increasing number of projects and applications, the effort to change the Admin password does grow. Because, each single password location of the password has to be identified and changed separately.
The feature request: an optimized authentication process that allows a centralized authentication administration without storing passwords in clients directly. E.g. based on:
- certificate based
- providing privileged authentication credentials directly in the JavaClient program (compared to web browsers, where public keys are stored as well)