I've written python code by using httplib to consume REST API, that required basic Authentication.
So i used the username and password in plaintext in the code.
1)Is it right to put password in code ?
2)If wrong what is the right way?
Please shed some light.
Putting passwords in code is a bad idea(tm), since your could could end up on Github, etc, and leak the password. Use buildout.cfg to store secrets, and keep buildout.cfg specific to each installation (i.e. don't check it into source control).
Have a look at: http://docs.plone.org/4/en/old-reference-manuals/buildout/additional.html#configuring-plone-products-from-buildout
Even a locla buildout.cfg wants to be kept under revision control.
It's better to put passwords into some text file and encrypt the the file e.g. using AES-256.
Asking for the key at runtime or decrypting the encrypted password store should be save enough.
...and save enough in case you commit the encrypted pw store to a public repo as long as you use a strong key.
-aj
You can use an environment variable to pass in a username and password when starting the application. That way the password is only known locally on the server.
Or you can store the password in your Plone site's registry.
You can define a registry key and keep it empty in code, and set the correct value through the Plone control panel.
Have fun!
I’ve found that this stores the key in plain text in data.fs or relstorage object_state.
GitHub - zopefoundation/cipher.encryptingstorage: ZODB storage wrapper for encryption of database records May solve this
That looks terribly complicated and probably not used commonly enough to be super reliable