[jboss-dev-forums] [Design of Security on JBoss] - Password masking at the MC level

Wednesday, 4 March 2009

I want to just place some of my thoughts here for future reference.

Scott had broached the topic of some aspects to encrypt/decrypt bean properties which is
on our TODO list. 

I also want to handle the issue of password masking (or any other sensitive bean
properties) using XML encryption.  It would be simple to encrypt the secret key using PKI
but it is not very simple to deal with the keystore stuff (keystore password etc). 
Assuming that we know how to do key management properly (such as encrypting the tomcat
keystore password for example which sets the JSSE keystore properties or other means of
dealing with keystore), we can certainly use XML encryption to encrypt xml elements of MC
bean definitions.

A writeup from me recently is here:
http://jboss.org/community/docs/DOC-13383

Apache XML Security is currently packaged in JBAS. It is pretty straight forward to write
an utility to encrypt/decrypt xml elements (either based on the one I started in JBID or
the one Jason wrote for WSS support in JBossWS).

I have not given too much thought on how to do it at the MC level yet but will in the next
few days. We do have the concept of SubjectFactory in AS5 which is being injected into JCA
connection factories.  Maybe a specific implementation of SubjectFactory that can handle
xml encryption may be good.

Just some of my thoughts.

View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4215052#...

Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-dev-forums] [Design of Security on JBoss] - Password masking at the MC level