From 7d547cacf30ee7f90a76f72b66a11953663fcca6 Mon Sep 17 00:00:00 2001
From: index-git <sileny.index@gmail.com>
Date: Thu, 25 Jan 2024 11:11:18 +0100
Subject: [PATCH] Document JDBC role service password stored as plaintext

---
 doc/env-settings.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/env-settings.md b/doc/env-settings.md
index d3e171938..b313ad429 100644
--- a/doc/env-settings.md
+++ b/doc/env-settings.md
@@ -95,6 +95,7 @@ List of [users](models.md#user) and [roles](models.md#role) giving them permissi
 
 ### LAYMAN_ROLE_SERVICE_URI
 URL of [Role Service](security.md#role-service) with DB schema in format `postgresql://<username>:<password>@<host>:<port>/<dbname>?schema=<schema_name>`. URL scheme must be `postgresql`. URL host must be mentioned explicitly, as well as DB schema in `schema` URL query parameter. If you want to use [internal role service schema](security.md#internal-role-service-schema) provided by Layman, set value to `postgresql://<LAYMAN_PG_USER>:<LAYMAN_PG_PASSWORD>@<LAYMAN_PG_HOST>:<LAYMAN_PG_PORT>/<LAYMAN_PG_DBNAME>?schema=_role_service` (replace variable names with their values).
+Password is stored as plaintext in GeoServer config file. One of solutions of this security issue is to create DB user exclusively for this purpose with read-only rights for role-service tables/views.
 
 ## Layman Test Client Settings