Author Topic: Use Security Issues - v9.1 (909) and V12 (1215) (Read 4474 times)

Paolo F Cantoni · « **on:** August 07, 2015, 09:57:16 am »

I have a number of .EAP files with User Security enabled. Security was enabled under v12 (1215). In testing to try and determine the causes or at least the scope of some automation bugs, I tried to open a couple of these under v9.1 (909). The correct user/password was not accepted and I got an "Unknown User or Invalid password" message.

Also, under V12 (or v9.1) if I try to do a project transfer from another file to the secured file, I can't do it - because of the same error! I can only transfer to an unsecured fie. The resultant file is, of course, secured correctly and I can open it with v12 using the foregoing credentials.

Anyone seen anything like this?

TIA (and reported),
Paolo

Eve · « **Reply #1 on:** August 07, 2015, 10:03:09 am »

Recent versions of EA store a secure hash of the user password instead of a (cryptographically) weak transform.

There is no way to make v9 etc to check the secure hash, and storing it so v9 can read it would defeat the purpose.

If having both versions being able to log-in outweighs password security, you can set the password in 9.1.

Paolo F Cantoni · « **Reply #2 on:** August 07, 2015, 10:30:02 am »

Quote

Recent versions of EA store a secure hash of the user password instead of a (cryptographically) weak transform.

There is no way to make v9 etc to check the secure hash, and storing it so v9 can read it would defeat the purpose.

If having both versions being able to log-in outweighs password security, you can set the password in 9.1.

Thanks Simon,

I figured as much.

So in this case of testing only; I need to remove User Security under v12 (since I need to open it with v9) then re-enable under v9 and then set the password with v9 - correct?

What about the project transfer problem - is that the same issue (but with some unfinished code"?

- since it happens under v12.

Paolo

Eve · « **Reply #3 on:** August 07, 2015, 12:18:08 pm »

Yes, remove/add security would do it.

There's a security permission being checked on the target model. If the login required to make that happen doesn't work then it was probably overlooked.

Paolo F Cantoni · « **Reply #4 on:** August 10, 2015, 09:42:59 am »

Quote

Yes, remove/add security would do it.

There's a security permission being checked on the target model. If the login required to make that happen doesn't work then it was probably overlooked.

Hi Simon,

Before I finalise how I'm going to setup security, my intent is to have a basically v12 security model for human use but a couple of v9 accounts for automation use - hopefully that gives me the "best of both worlds". I need a couple of bits of information:

If I start with a v9 model and then add add other accounts under v12, do ONLY the new accounts inherit the v12 attributes, or are ALL the existing v9 accounts converted?
If the answer above is that existing accounts remain the same, can I access the repository using the v9 Account from v9?
If I accidentally access the v9 account with v12, does it convert or does it stay a v9 account?

I think the answers to these questions will be of interest to those customers with long-running repositories.

TIA,
Paolo

Eve · « **Reply #5 on:** August 10, 2015, 01:03:50 pm »

There is no automatic conversion of existing passwords. The only time they will be "converted" is when the password is changed (in v11+)

Sparx Systems Forum

News: