Store unique password in per module settings

I have a module that has specific server settings which includes a password.

The current approach I'm taking is to create a UUID and store it in the module file, creating one if it does not already exist.

I then use the PasswordSafe class and store the password using this UUID as the key to store the password under.

So far it's working great except for one thing. If you try to access the panel with the password when bg tasks are running then the master password dialog doesn't come up. When this happens the password is lost and a blank one is somehow stored.

Is there a better approach to doing this? I'm assuming simply hashing the password into the module settings isn't really a secure way of storing the password, but it definitely would be easier to reason about.

3 comments
Comment actions Permalink

> If you try to access the panel with the password when bg tasks are running then the master password dialog doesn't come up. When this happens the password is lost and a blank one is somehow stored.

This shouldn't happen.

If you call PasswordSafe.getInstance().getPassword() it checks if the password safe is open (which means that the user has entered the master password to unlock the safe during this session and not so long ago (there is some timeout), or the user has empty master password). If it is, the stored password is returned by the method. Otherwise a modal dialog asking to enter the master password appears on screen. After user enters the correct master password, the requested password is returned.

If this doesn't work like that, please specity what actually happens step-by-step, and please post a code snippet where you work with the PasswordSafe, and I'll try to help you figure out what goes wrong.

0
Comment actions Permalink

I thought that this would be the case. I won't be surprised if I'm doing something fishy with my password key logic. I've recently open sourced my plugin so I'll just link to the offending class. I will detail the specific problematic code later for future forum goers once I figure it out.

https://github.com/nek4life/intellij-demandware/blob/master/src/com/demandware/studio/settings/DWSettingsProvider.java

I think it might have something to do with this line in particular:

https://github.com/nek4life/intellij-demandware/blob/master/src/com/demandware/studio/settings/DWSettingsProvider.java#L100

I don't know if this is the best place to try to instantiate a new key if one doesn't exist. I create a key in the project wizard, but I wanted to be able to create a key if one doesn't exist. If there is a better way of handling this I would be happy to know that as well.

Thanks!

0
Comment actions Permalink

It looks like you request and save passwords correctly. At least, we do the same in Github plugin.

However, I agree that it might be not a good place to instantiate a new key. Usually default values are initialized directly inside the State:

  
public static class State {

    public String passwordKey = UUID.randomUUID();
...
}

Please try this one and check if it helps.

// btw, you have a probably obsolete "password" property inside the State class.

0

Please sign in to leave a comment.