[jboss-dev-forums] [Design the new POJO MicroContainer] - Re: Security services deployer for the MC

[anil.saldhana@jboss.com]

"david.lloyd at jboss.com" wrote : I'm in the process now of adding tags to create injectable keys from key files and keystores.  A logical extension of that would be to inject passwords (read from files?  maybe as char arrays, maybe as some kind of opaque object (like a CallbackHandler that handles PasswordCallbacks perhaps?)).  What kind of security precautions should be taken?  The implication here is that if the password "lives" in the microcontainer's managed space, then anyone who has access to that space gets the password.  Maybe a special permission that includes the password bean name should be required to access it?  What do you guys think?  If I introduce special permissions for password access, I would think we'd want to do the same for SecretKey/PrivateKeys as well since they have similar security implications from what I can see.

* Apart from directly injecting passwords from files, another option would be to use Password Based Encryption (password, salt, iteration count).
* Agree on the special permission.  I feel that a special permission category (similar to classloader perm) can be created to give a super user type access to the sensitive keys  and then individual permissions for the password, privatekey....

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4205053#4205053

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4205053