[jboss-jira] [JBoss JIRA] (AS7-3419) JBossWeb::ssl element in connector settings should check for vaultified strings
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Thu Feb 2 14:28:48 EST 2012
[ https://issues.jboss.org/browse/AS7-3419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663865#comment-12663865 ]
Anil Saldhana commented on AS7-3419:
------------------------------------
The issue seems to be in org.jboss.as.server.RuntimeExpressionResolver
Method: resolvePluggableExpression(ModelNode node)
https://github.com/jbossas/jboss-as/blob/master/server/src/main/java/org/jboss/as/server/RuntimeExpressionResolver.java
Data:
expression "${VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx0}"
After the method invocation, turns into
VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx
Basically, the step: expression = expression.substring(2, expression.length() -2);
is chopping the last "0" out of the expression value.
I wonder whether your expressions do not go through this class.
> JBossWeb::ssl element in connector settings should check for vaultified strings
> -------------------------------------------------------------------------------
>
> Key: AS7-3419
> URL: https://issues.jboss.org/browse/AS7-3419
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Web
> Affects Versions: 7.1.0.CR1
> Reporter: Anil Saldhana
> Assignee: Tomaz Cerar
> Fix For: 7.1.0.Final
>
>
> Currently, the passwords in the ssl element of the connector settings are in clear text.
> https://community.jboss.org/wiki/JBossAS7SecuringPasswords describes very simple ways of checking whether a string is of the vault format and invoking the vault to get the decrypted string value.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list