When using encrypted settings, I've been able to find in MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes, the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted.
Also, the 'cryptodoc.jce.keystore.password' entry shows the keystore password in the clear as well while the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.
A partner believes this to be a security hole, as anyone with controlRole or monitorRole access will be able to see the passwords for the keystore.
I was able to reproduce on 5.0.2.5.
Steps to reproduce:
1. Install 5.0.2.5
2. In alfresco-encrypted.properties add these properties:
cryptodoc.jce.keystore.path=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.keystore.password=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.key.aliases=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.key.passwords=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
3. In alfresco-global.properties add these properties:
cryptodoc.jce.keystore.path=${cryptodoc.jce.keystore.path.enc}
cryptodoc.jce.keystore.password=${cryptodoc.jce.keystore.password.enc}
cryptodoc.jce.key.aliases=${cryptodoc.jce.key.aliases.enc}
cryptodoc.jce.key.passwords=${cryptodoc.jce.key.passwords.enc}
4. Start Alfresco.
5. Attach to the JMX console using jconsole.
6. Have a look at MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes -> 'cryptodoc.jce.key.passwords' entry
7. Have a look at MBeans under Alfreso -> Global Properties -> Attributes -> ryptodoc.jce.keystore.password
Observed:
In Step #6 the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted even though they are encrypted in the properties file.
In Step #7 the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.
Expected:
In Step #6 the passwords should not be shown as clear text but rather the property as shown in Step #7.