...
- Attempting to retrieve a password that doesn't exist returns an empty node set, it does not throw an error.
- In xpath "$provided_password != $vault_password" will return true if either variable is an empty node set. Combined with the observation above, if the password is not set in the vault, comparing it against a string will always return true. This is because the != operator checks if any elements don't match, if there aren't any elements to check then it's considered a success. To avoid this, always separately verify that the values aren't empty. https://stackoverflow.com/questions/4629416/xpath-operator-how-does-it-work
- Because passwords must be entered by an ESB administrator, they are a common source of deployment problems. ESB developer's must be very clear with what passwords are used by their project and explicitly check for the case that a password hasn't been entered.
- A password entered with the wrong key will look successfull to the ESB Administrator. Be sure to use the full, quoted password key in all documentation.
- Password keys must be unique. Use a key that is prefixed by the applications common prefix. See " See Prefix - ESB Idiom"
Solutions
Password Storage
...