[security-dev] Password masking/clear text

Rodney Russ rruss at redhat.com
Thu Mar 14 17:02:38 EDT 2013

I would think migrating from PicketBox to PicketLink  would make sense to simplify things moving forward (i.e. all your security needs are fulfilled by PL).

----- "Anil Saldhana" <Anil.Saldhana at redhat.com> wrote:

> Hi All,
> *Background* :-
>    almost all projects have a password that need to be configured in a
> configuration file or needs to be set as a value in an annotation. 
> Nobody likes to see cleartext passwords.
> *What we did until now* :-
> Since encryption/decryption requires a symmetric key and it is a pain
> to 
> manage symmetric keys, we have used Password Based Encryption (PBE) 
> which is not bullet proof encryption but a low grade attempt at
> masking 
> the passwords.
> PicketBox historically had the PBE utility classes.
> PicketBox4 has the Vault interface/default implementation that was 
> placed into AS7. The Vault uses AES encryption to encrypt the
> passwords 
> using a Java Keystore. But it uses a weak link ( PBE to mask the 
> password to the keystore).
> Why we need to think about this? :-
> JBoss Community projects either run standalone (sometime may need to
> run 
> of different App Servers) or run in JBoss AS. An example would be
> Drools 
> Management (aka BRMS).  If the project runs on JBossAS, you should be
> using the vault facility to mask the passwords.
> What do we do with standalone projects for the future?
> a) We can ask them to download the picketbox library as dependency and
> build on the vault SPI or
> b) Migrate the vault from PicketBox to PicketLink going forward.
> Thoughts?
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list