You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm going to post a PR for this but here's the short story. Redis counts as "data at rest" in a lot of organizations and must be encrypted. We are using a SessionAttributesTranscoder that encrypts the byte[] with AES-GCM, but to our surprise, the passwords were stored in plaintext in Redis.
My proposal is to have a serialization strategy for the Principal and request attributes.
This would also allow people to write custom serializers to fix #427
The text was updated successfully, but these errors were encountered:
exabrial
changed the title
Principal is not serialized with SessionAttributesTranscoder
Principal and other attributes need some flexibility with Serialization
Jun 7, 2021
exabrial
added a commit
to exabrial/memcached-session-manager
that referenced
this issue
Jun 7, 2021
I'm going to post a PR for this but here's the short story. Redis counts as "data at rest" in a lot of organizations and must be encrypted. We are using a SessionAttributesTranscoder that encrypts the byte[] with AES-GCM, but to our surprise, the passwords were stored in plaintext in Redis.
My proposal is to have a serialization strategy for the Principal and request attributes.
This would also allow people to write custom serializers to fix #427
The text was updated successfully, but these errors were encountered: