[jboss-jira] [JBoss JIRA] (AS7-3419) JBossWeb::ssl element in connector settings should check for vaultified strings
[
https://issues.jboss.org/browse/AS7-3419?page=com.atlassian.jira.plugin.s...
]
Anil Saldhana commented on AS7-3419:
------------------------------------
The issue seems to be in org.jboss.as.server.RuntimeExpressionResolver
Method: resolvePluggableExpression(ModelNode node)
https://github.com/jbossas/jboss-as/blob/master/server/src/main/java/org/...
Data:
expression
"${VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx0}"
After the method invocation, turns into
VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx
Basically, the step: expression = expression.substring(2, expression.length() -2);
is chopping the last "0" out of the expression value.
I wonder whether your expressions do not go through this class.
JBossWeb::ssl element in connector settings should check for
vaultified strings
-------------------------------------------------------------------------------
Key: AS7-3419
URL: https://issues.jboss.org/browse/AS7-3419
Project: Application Server 7
Issue Type: Feature Request
Components: Web
Affects Versions: 7.1.0.CR1
Reporter: Anil Saldhana
Assignee: Tomaz Cerar
Fix For: 7.1.0.Final
Currently, the passwords in the ssl element of the connector settings are in clear text.
https://community.jboss.org/wiki/JBossAS7SecuringPasswords describes very simple ways
of checking whether a string is of the vault format and invoking the vault to get the
decrypted string value.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira