[security-dev] Password masking/clear text

[Anil Saldhana]

Rodney,
   it makes sense but the challenge is that the vault has shipped in 
AS7.x and EAP 6.x

So moving it to PicketLink will have migration concerns for users 
already using the vault (that number is high).

I can schedule this being handled in PL 3.1 (ETA: May 2013).

Regards,
Anil

On 03/14/2013 04:02 PM, Rodney Russ wrote:
> I would think migrating from PicketBox to PicketLink  would make sense to simplify things moving forward (i.e. all your security needs are fulfilled by PL).
>
> ----- "Anil Saldhana" <Anil.Saldhana at redhat.com> wrote:
>
>> Hi All,
>>
>> *Background* :-
>>     almost all projects have a password that need to be configured in a
>>
>> configuration file or needs to be set as a value in an annotation.
>> Nobody likes to see cleartext passwords.
>>
>> *What we did until now* :-
>> Since encryption/decryption requires a symmetric key and it is a pain
>> to
>> manage symmetric keys, we have used Password Based Encryption (PBE)
>> which is not bullet proof encryption but a low grade attempt at
>> masking
>> the passwords.
>> PicketBox historically had the PBE utility classes.
>> PicketBox4 has the Vault interface/default implementation that was
>> placed into AS7. The Vault uses AES encryption to encrypt the
>> passwords
>> using a Java Keystore. But it uses a weak link ( PBE to mask the
>> password to the keystore).
>>
>> Why we need to think about this? :-
>> JBoss Community projects either run standalone (sometime may need to
>> run
>> of different App Servers) or run in JBoss AS. An example would be
>> Drools
>> Management (aka BRMS).  If the project runs on JBossAS, you should b
>>
>> using the vault facility to mask the passwords.
>>
>> What do we do with standalone projects for the future?
>> a) We can ask them to download the picketbox library as dependency and
>>
>> build on the vault SPI or
>> b) Migrate the vault from PicketBox to PicketLink going forward.
>>
>> Thoughts?
>>
>> Regards,
>> Anil