5
 Followers
8
 Likes

Mark a Site Property to have its value masked in Service Center

Service Center
On our radar
Some site properties represent passwords, it would be good to have their values masked in Service Center. There should be a checkbox on the Site Property in Service Studio to mark this option.

J.Ja
Created on 23 Jul 2015
Comments (15)
Isn't this a duplicate of some idea? I recall this being requested (or maybe specifically for passwords).
Merged this idea with 'Applicational User/Password management on Service Center' (created on 25 Jun 2018 01:34:39 by Carlos Alexandrino)

It is a frequent pattern in many clients / projects to use Site Properties to store Usernames and Passwords (in clear) that are used in invoking Web Services, running Stored Procedures and Functions, ..., any other type of integration in which you need username and password.


It would be very useful to have an area in the Service Center that would allow to create and manage the data of the application users and an API that would allow access to the data of these users in Runtime.



This comment was:
- originally posted on idea 'Applicational User/Password management on Service Center' (created on 25 Jun 2018 by Carlos Alexandrino)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:35:58 by Fernando Moitinho

Changed the category to Service Center




This comment was:
- originally posted on idea 'Applicational User/Password management on Service Center' (created on 25 Jun 2018 by Carlos Alexandrino)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:35:58 by Fernando Moitinho
Merged this idea with 'Password Vault' (created on 22 Aug 2018 14:08:13 by Sara H.)

The platform needs an easier way to manage passwords for connecting to APIs and such, such as a password vault of some kind with encryption.

Storing passwords as plain text in Service Center as Site properties is not secure enough but it seems like the easiest option Outsystems provides out of the box.




This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

At this point, I highly recommend that virtually all applications use something that isn't Site Properties for configuration. There are options like "NOPE" in the Forge. I suspect they may have the ability to encrypt. If they don't, that would be a good option to add, perhaps you could join the team and help add it? Using the CryptoAPI stuff, it isn't too hard to use 2 way encryption where the private key is stored separately from the database.

J.Ja



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Thanks for the suggestion.


I definitely agree with your site property comment.


I am looking into NOPE further now, looks promising! I just wish something like this came out of the box with Outsystems to encourage people to use safer practices. I wouldn't be surprised if some Outsystems clients had applications currently live that were using Site Properties as passwords as using site properties....  It's easy.



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Sara -

I agree completely. Site properties are EASY (and they perform well thanks to some caching) but they aren't SAFE or SECURE and moving between environments is a mess. Something like NOPE *should be* built into the platform. Unfortunately, people get taught to use site properties and then you look at the code and there are hundreds of site properties in dozens of modules storing lots of critical data in plain text. :(

J.Ja



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Hello Sara,


I'm the creator of NOPE. Can you please let me know your use case so I can develop that feature? Seems like a very reasonable one.


Cheers,

Armando



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Changed the category to Backend




This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

@Armando 


Hello,


The use case is not to store passwords in plain text. And especially not in Service Center where it's often available on the internet and only behind a username and a password so not very secure. 


- Any password stored in the vault would be encrypted

- The user would have the key separately 


Kind regards,

Sara



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Hello Sara,


Just out of curiosity, how do you propose to handle the master password? I'll have to encrypt with that master password but, for use, I'll have to decrypt the values.


Cheers!



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho

Armando -

I'd suggest encrypting with the "GetPrivateKey" in CryptoAPI. Otherwise there is no way that you can decrypt at runtime in a timer, BPT, etc. where the user cannot provide that key.

J.Ja



This comment was:
- originally posted on idea 'Password Vault' (created on 22 Aug 2018 by Sara H.)
- merged to idea 'Mark a Site Property to have its value masked in Service Center' on 09 Nov 2018 15:36:32 by Fernando Moitinho
views
572
Followers
5