December 2012 - jboss-dev-forums - Jboss List Archives

[JBoss AS 7 Development] - Re: Using Log4J in AS7

by David Jensen

David Jensen [https://community.jboss.org/people/davidj] created the discussion "Re: Using Log4J in AS7" To view the discussion, visit: https://community.jboss.org/message/776750#776750 -------------------------------------------------------------- Hi, Can someone step me thru how to setup log4j on JBoss AS7? I've tried the following. I have an EJB Jar file which has a "log4j.properties" file. This same JAR file will log correctly on other AppServers (such as Glassfish). I read else where that I must do the following in my "standalone.xml" file: +<size-rotating-file-handler+ name="*MY_LOGGER*"> <level name="TRACE"/> <formatter> <pattern-formatter pattern="%d{MMM-dd hh:mm:ss} [%c{1}] %m%n"/> </formatter> <file relative-to="jboss.server.log.dir" path="*myLogger.log*"/> <rotate-size value="9216K"/> <max-backup-index value="3"/> +</size-rotating-file-handler>+ + + <+logger+ category="*com.mycompany*"> <level name="TRACE"/> <handlers> <handler name="*MY_LOGGER*"/> </handlers> </+logger+> I tried that and it still doesn't work I don't want to do anything fancy. All I want is for my log statements to be written in a file called "myLogger.log". Any help would be appreciated. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/776750#776750] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

10 years, 5 months

2
1
0 / 0

[JBoss AS 7 Development] - Re: JAR blacklist for deployment

by Nicholas DiPiazza

Nicholas DiPiazza [https://community.jboss.org/people/ndipiazza] created the discussion "Re: JAR blacklist for deployment" To view the discussion, visit: https://community.jboss.org/message/785318#785318 -------------------------------------------------------------- Neat! Yeah I'm convinced that's the way to go. Thanks for that. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/785318#785318] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

10 years, 5 months

2
1
0 / 0

Re: [jboss-dev-forums] [JBoss AS 7 Development] - JBoss AS7 Securing Passwords

by Anil Saldhana

Anil Saldhana [https://community.jboss.org/people/anil.saldhana] commented on the document "JBoss AS7 Securing Passwords" To view all comments on this document, visit: https://community.jboss.org/docs/DOC-17248#comment-11315 -------------------------------------------------- > mentallurg wrote: > > > > h2. Frequently Asked Questions - now with correct answers: > * h5. How secure is this? > > *It is NOT secure at all!* > You *disclose the password* via KEYSTORE_PASSWORD. No matter how complex the implementation is. No matter if it uses Java KeyStore, RSA, DES, other algorithms. No matter how long RSA key is. No matter if any 3rd party vault implementation is used. You *disclose the password* to access the vault. Everyone who has access to the config can easily decrypt all the passowrds you have encrypted. This approach in JBoss is highly *vulneruble*! Unfortunately the Red Hat architect misleads all the users. > Compare it to following. You have a sofisticated locker in your house door. But you leave the key hanging on the door. Will you expect any safety? Or you have highly secure alarm system in your car. But you leave a key on the hood of your car. What will you expect? Everyone can open your home door and use your car. The same is here with JBoss vault. > > * h5. Can I really secure the keystore? > * You can store the keystore on an USB or an encrypted secure usb or such. > * When the server starts, insert the USB. On successful start, you can remove the USB. > > *Wrong.* > You can use USB of your developer's computer only. But you cannot use USB of your production servers. Because normally there is no physical access to it: it may be in a secured room you have no access to, or at your customer hundreads miles away, or it may be at your hoster, or in a cloud at Amazon, Rackspace, you name it. > The JBoss server must start automatically each time the system starts. For instance the system was upgraded, or a patch was applied, or hardware was replaced, or system was restored from a back up. The whole system is restarted. The JBoss server must automatically start, too. If the vault is missing, your application on JBoss will NOT start. > One might suggest to put the vault on another disk, mount it temporary during system start up, then unmount automatically after JBoss started. But this only reduces the probability. It does not solve the problem. As long as a disk is mounted, it is available to all system processes. A hacker or a process started by a hacker can access the mounted disk, too. > > The worst thing is that a Red Hat architect who designed and implemented it does not warn the users. Users have *false feeling of safety*. Wake up! You are in a big trouble if you use JBoss vault. > Can you stop spreading FUD around? Read, it says it uses "Password based Encryption" which is security by obscurity. It is not 100% security. To really get foolproof security of passwords, you either: a) use FIPS 140-2 certified keystore or b) use a 3rd party ISV implementation of the vault. The default implementation provided allows masking of passwords and not ENCRYPTION of passwords. --------------------------------------------------

10 years, 5 months

1
0
0 / 0

Re: [jboss-dev-forums] [PicketBox Development] - AS7: Utilising masked passwords via the vault

by mentallurg

mentallurg [https://community.jboss.org/people/mentallurg] commented on the document "AS7: Utilising masked passwords via the vault" To view all comments on this document, visit: https://community.jboss.org/docs/DOC-17472#comment-11313 -------------------------------------------------- JBoss vault is *not safe*. It gives you false feeling of safety. You *disclose the password* to access the vault via KEYSTORE_PASSWORD. Everyone can easily decrypt all the passwords you have encrypted. Unfortunately JBoss does not help users to understand it and to be aware of security problems. --------------------------------------------------

10 years, 5 months

1
0
0 / 0

[JBoss AS 7 Development] - Managing passwords with the vault

by bruce dyer

bruce dyer [https://community.jboss.org/people/bdyerjboss] created the discussion "Managing passwords with the vault" To view the discussion, visit: https://community.jboss.org/message/780485#780485 -------------------------------------------------------------- I followed the setup steps provided by Anil. Using JBoss7.1.1.Final , urn:jboss:domain:1.2, standalone mode. Windows7 x64, jdk 1.7. I get a *'Failed to parse configuration'* error when inserting the <vault>....</vault> node, into a valid standalone.xml. *WstxIOException: Invalid UTF-8 start byte 0xa0* <vault> <vault-option name="KEYSTORE_URL" value="c:/jboss-7.1.1/standalone/configuration/vault.keystore"/> <vault-option name="KEYSTORE_PASSWORD" value="MASK-5WNXs8oEbrs"/> <vault-option name="KEYSTORE_ALIAS" value="vault"/> <vault-option name="SALT" value="124385678"/> <vault-option name="ITERATION_COUNT" value="50"/> <vault-option name="ENC_FILE_DIR" value="c:/jboss-7.1.1/standalone/vault/"/> </vault> Any suggestions? -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/780485#780485] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]

10 years, 5 months