[jboss-jira] [JBoss JIRA] (AS7-3419) JBossWeb::ssl element in connector settings should check for vaultified strings

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Feb 2 14:28:48 EST 2012 

    [ https://issues.jboss.org/browse/AS7-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663865#comment-12663865 ] 

Anil Saldhana commented on AS7-3419:
------------------------------------

The issue seems to be in org.jboss.as.server.RuntimeExpressionResolver

Method: resolvePluggableExpression(ModelNode node)

https://github.com/jbossas/jboss-as/blob/master/server/src/main/java/org/jboss/as/server/RuntimeExpressionResolver.java

Data:
expression "${VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx0}"

After the method invocation, turns into
VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx

Basically, the step: expression = expression.substring(2, expression.length() -2);

is chopping the last "0" out of the expression value.

I wonder whether your expressions do not go through this class.


                
> JBossWeb::ssl element in connector settings should check for vaultified strings
> -------------------------------------------------------------------------------
>
>                 Key: AS7-3419
>                 URL: https://issues.jboss.org/browse/AS7-3419
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: Web
>    Affects Versions: 7.1.0.CR1
>            Reporter: Anil Saldhana
>            Assignee: Tomaz Cerar
>             Fix For: 7.1.0.Final
>
>
> Currently, the passwords in the ssl element of the connector settings are in clear text.  
> https://community.jboss.org/wiki/JBossAS7SecuringPasswords   describes very simple ways of checking whether a string is of the vault format and invoking the vault to get the decrypted string value.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list