Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [dtp-pmc] Fixes for BZ 132556: Password visible in DB Driver Details (please review)

+1 for this feature in Callisto.

Linda, Sheila:

Any thoughts or votes here?

Regards,
John Graham
Eclipse Data Tools Platform PMC Chair
Staff Software Engineer, Sybase, Inc.
http://dataplat.blogspot.com/



                                                                           
             brian.fitzpatrick                                             
             @sybase.com                                                   
             Sent by:                                                   To 
             dtp-pmc-bounces@e         dtp-pmc@xxxxxxxxxxx                 
             clipse.org                                                 cc 
                                                                           
                                                                   Subject 
             04/12/2006 04:32          [dtp-pmc] Fixes for BZ 132556:      
             PM                        Password visible in DB Driver       
                                       Details (please review)             
                                                                           
             Please respond to                                             
              DTP PMC mailing                                              
                   list                                                    
             <dtp-pmc@eclipse.                                             
                   org>                                                    
                                                                           
                                                                           





Hi all...

I would like permission from the DTP PMC to deliver fixes to Connectivity
for BZ 132556: Password visible in DB Driver Details.

The issue for this entry was that when you create a driver instance, the
default password is unmasked, but when you go to the profile and change the
password, it's masked.

To fix this, we could have simply made the password property for driver
instances a special case and indicated in the template XML that it should
be masked in the UI. Instead, we took this as an opportunity to provide a
more open framework for custom handling of driver properties.

If you look at the existing Edit Driver dialog (available when you create a
new driver instance or edit an existing one on the Preferences dialog on
the Connectivity -> Driver Definitions page), the bottom until now has been
a simple table with two rows - Name and Value -- since each driver instance
property is simply a name/value pair. This worked fine until we wanted to
provide a more flexible editor for the driver property.

So we have hosted an instance of the Eclipse Property Viewer at the bottom
of the Edit Driver dialog to replace the table that had been there.

This gives us many new abilities:

1) We can logically group properties into categories with collapsible
sections.

2) We can provide custom property descriptors for individual properties to
allow much more flexible editing. In the basic case, we provide
TextPropertyDescriptors, but for passwords we now have the ability to use a
PasswordTextPropertyDescriptor that masks the entry and display of the
property data in the UI. This is as flexible as the developer wants to be
-- one example I saw had a button as the editor, which popped up a custom
dialog to allow the user to edit that property in a more understandable
manner (I believe it was height/width of a button).

See the attached screen shot:

(Embedded image moved to file: pic01623.jpg)


These two new abilities are additions to the schema for the driverTemplate
extension point from Connectivity. We add two new attributes to the
property tag -- category and customPropertyDescriptor.

By default, all properties will appear in the "General" category unless the
developer specifies a category for each property. So for example, if the
developer wanted to group properties into "Required" and "Optional"
categories, they would do it in this manner.

The customPropertyDescriptor attribute points to a class that extends
org.eclipse.ui.views.properties.PropertyDescriptor. We have implemented a
PasswordTextPropertyDescriptor object
(org.eclipse.datatools.connectivity.ui.PasswordTextPropertyDescriptor),
which provides a property editor that masks the characters for a password
property. Users are free to use this class for their own password
properties or implement whatever custom Property Descriptor class they want
and use it in their driver template for whatever properties they'd like. Or
if they want to make the property values read-only, they can use
org.eclipse.ui.views.properties.PropertyDescriptor directly.

These changes are pretty minor to the driver framework and to the existing
driver templates for derby and the other sample driver templates.

Note the following limitations of this approach.

1) It does not actually encrypt the default password specified for the
driver instance. It hides it from the casual user.
2) The metadata file in which driver instances are stored in the workspace
is not encrypted in any way. Neither are the plugin.xml files where
developers will specify their driver templates.
3) The driver instances merely store default values for components that the
connection profile will then take and use.
4) If you want your driver instances to be secure, you should not specify
any authentication information (user name/password) in the driver instance.

Ultimately, this fix simply addresses an inconsistency in how passwords
were displayed to the user in the DTP/Connectivity UI and provides some
additional flexibility for grouping and editing driver instance properties.

Sorry this is so long winded!

Thanks for your time.
--Fitz

Brian Fitzpatrick
Senior Software Engineer/DTP-Connectivity Committer
Sybase, Inc.
e-mail: brianf@xxxxxxxxxx(See attached file: pic01623.jpg)[attachment
"pic01623.jpg" deleted by John Graham/SYBASE]
_______________________________________________
dtp-pmc mailing list
dtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/dtp-pmc




Back to the top