[jboss-jira] [JBoss JIRA] Reopened: (JBAS-8353) PATCH: Support obfuscated System Properties

PATCH: Support obfuscated System Properties ------------------------------------------- Key: JBAS-8353 URL: https://issues.jboss.org/browse/JBAS-8353 Project: Legacy JBoss Application Server 6 Issue Type: Patch Security Level: Public(Everyone can see) Environment: ALL Reporter: Andrew Oliver Assignee: Andrew Oliver Priority: Minor Fix For: No Release Attachments: jbosssx.jar, jbosssx.jar, patch, patch-50, patch.jar, properties-service.xml, run.conf, test.properties when you put -Djboss.sysprop.obfuscation=true in your run.conf JBOSS_OPTS, the SecurityIdentityLoginModule decode function is used to decode properties ending in _OBFUSCATED i.e. server/default/conf/test.properties mypassword_OBFUSCATED=5dfc52b51bd35553df8592078de921bc server/default/deploy/properties-service.xml <mbean code="org.jboss.varia.property.SystemPropertiesService" name="jboss:type=Service,name=SystemProperties"> <attribute name="URLList"> ./conf/test.properties </attribute> </mbean> then in your System.getProperties you have: mypassword password mypassword_OBFUSCATED 5dfc52b51bd35553df8592078de921bc So you can then use those properties in your config files with ${mypassword} you can use the same tool in: http://community.jboss.org/wiki/EncryptingDataSourcePasswords to obfuscate passwords in the property file... This helps you pass dumb security audits that require you to do dumb things that have nothing to do with security but fake security through needless labor is an industry standard that we have to live with.