[security-dev] Password masking/clear text

Hi All, *Background* :- almost all projects have a password that need to be configured in a configuration file or needs to be set as a value in an annotation. Nobody likes to see cleartext passwords. *What we did until now* :- Since encryption/decryption requires a symmetric key and it is a pain to manage symmetric keys, we have used Password Based Encryption (PBE) which is not bullet proof encryption but a low grade attempt at masking the passwords. PicketBox historically had the PBE utility classes. PicketBox4 has the Vault interface/default implementation that was placed into AS7. The Vault uses AES encryption to encrypt the passwords using a Java Keystore. But it uses a weak link ( PBE to mask the password to the keystore). Why we need to think about this? :- JBoss Community projects either run standalone (sometime may need to run of different App Servers) or run in JBoss AS. An example would be Drools Management (aka BRMS). If the project runs on JBossAS, you should be using the vault facility to mask the passwords. What do we do with standalone projects for the future? a) We can ask them to download the picketbox library as dependency and build on the vault SPI or b) Migrate the vault from PicketBox to PicketLink going forward. Thoughts? Regards, Anil