Caution advised storing passwords & tokens in ICN plugin configuration

Ivo Jonker

For those creating IBM Content Navigator plugins, please be advised not to store any tokens, passwords or API keys in the plugin configuration, as it will be accessible to all authenticated users.

Although you would expect the ICN admin-api to be limited to admin-users, the following snippet works for everyone 🙂

require (["ecm/model/admin/ApplicationConfig"],function(ApplicationConfig){ 
    ApplicationConfig.getPluginObjects(function (plugins){
        console.log(plugins)
    })
})

A suggestion would be to create a ‘central configuration’ plugin, that stores its configuration (though the configurationpane) in a different location/datasource – only accesible for admin users. A nice addition would be to create a java class that performs a server-side lookup of the datasource allowing access to the configuration just anywhere within your server context 🙂

p.s. Did you know the IBM ICA/Watson plugin requires configuting an API key?

Update: I translated my own suggestion into a working solution:) See Central Configuration plugin for multi-server ICN/ICM environments

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *