Custom JSys DataSorurce password encryption?
I am working with JBoss 4.2.1GA .
As you could there is now a way to avoid the JBoss DataSoruce password in plain text . However, this method has a fundamental security flaw that becomes apparent when you look at how org.jboss.resource.security.SecureIdentityLoginModule is decoded and encoded . The encryption is basically a regular blowfish using a fixed secret key ("jaas is the way").
I'm looking for a way to change the fixed secret key for one that I choose, or to change the encryption / decryption method.
I tend to think it can be done by overriding SecureIdentityLoginModule , which is good, but I find it hard to believe that there is no out-of-the-box option for this (I haven't found one so far)
Has anyone done something like this?
source to share
Ok, this is how I did it (I am working on JBOSS 4.2.1 GA and Oracle, so some things might differ between DB versions and vendors):
You need to extend AbstractPasswordCredentialLoginModule .
I based mine (Called PGPLoginModule ) in an out-of-the-box implementation called SecureIdentityLoginModule , the only difference between this and mine is the decoding and encoding methods that use a different encryption algorithm and process (mine uses a PGP certificate to decrypt the properties file where the password is stored). similar to what is explained in this article , but you can use any method you prefer.
You will need to add the following jars located in the jboss library folders to resolve dependencies:
- [JBOSS_HOME] /lib/jboss-common.jar
- [JBOSS_HOME] /lib/jboss-jmx.jar
- [JBOSS_HOME] /server/default/lib/jbosssx.jar
- [JBOSS_HOME] /server/default/lib/jboss-jca.jar
You need to JAR your class and place the jar either:
- [JBOSS_HOME] / server / default / lib
or
- [JBOSS_HOME] / Library
If you have this, you need to configure it in the security domain you defined in jboss login-config.xml so that it uses your class (my org.company.resource.security.PGPLoginModule ) instead of using the default, so it will look something like this:
<application-policy name="PGPDomain">
<authentication>
<login-module code="org.company.resource.security.PGPLoginModule" flag="required">
<module-option name="username">[DB_USER]</module-option>
<module-option name="password">[ENCTRYPTED_PASSWORD]</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
</login-module>
</authentication>
</application-policy>
Please note that depending on the strength and algorithm you choose to use, you may need to install Java Cryptography Extension Unlimited Strength Policy Files on your JRE.
I hope someone finds this helpful.
source to share
There is an outstanding big list for this issue, at least for JBoss 4.0.x: https://issues.jboss.org/browse/JBAS-4460
Pay attention to the comment:
"Database encryption password" is used to pass silly security checks. After all, there will be some kind of password somewhere, because the system needs to decrypt the password to send it to the database. It will always be easy for an experienced programmer to crack this. Filesystem / OS security + transport security is your only hope.
What the commenter says is a common problem for all security systems: at some point there is a key that can be decrypted. Make sure the server's file system security is nailed so that this key is not easily accessible and you should be fine.
source to share