[security-dev] Password masking/clear text
Anil.Saldhana at redhat.com
Thu Mar 14 11:59:08 EDT 2013
almost all projects have a password that need to be configured in a
configuration file or needs to be set as a value in an annotation.
Nobody likes to see cleartext passwords.
*What we did until now* :-
Since encryption/decryption requires a symmetric key and it is a pain to
manage symmetric keys, we have used Password Based Encryption (PBE)
which is not bullet proof encryption but a low grade attempt at masking
PicketBox historically had the PBE utility classes.
PicketBox4 has the Vault interface/default implementation that was
placed into AS7. The Vault uses AES encryption to encrypt the passwords
using a Java Keystore. But it uses a weak link ( PBE to mask the
password to the keystore).
Why we need to think about this? :-
JBoss Community projects either run standalone (sometime may need to run
of different App Servers) or run in JBoss AS. An example would be Drools
Management (aka BRMS). If the project runs on JBossAS, you should be
using the vault facility to mask the passwords.
What do we do with standalone projects for the future?
a) We can ask them to download the picketbox library as dependency and
build on the vault SPI or
b) Migrate the vault from PicketBox to PicketLink going forward.
More information about the security-dev