[jboss-dev-forums] [PicketBox Development] - AS7: Utilising masked passwords via the vault
Anil Saldhana
do-not-reply at jboss.com
Wed Jan 11 14:22:46 EST 2012
Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the document:
"AS7: Utilising masked passwords via the vault"
To view the document, visit: https://community.jboss.org/docs/DOC-17472
--------------------------------------------------------------
Disclaimer: This article needs to be verified by our JCA experts. I may be doing something wrong. :)
h2.
h2. Background:
JBoss AS7.1 includes a vault facility to secure attributes (such as passwords).
You can get more information at https://community.jboss.org/docs/DOC-17248 https://community.jboss.org/wiki/JBossAS7SecuringPasswords
h2.
h2. Example:
Assume that I want to obtain a datasource in my servlet. This is a very simple example.
The servlet would look like the following:
package vaulterror.web;
import java.io.IOException;
import java.io.Writer;
import javax.annotation.Resource;
import javax.annotation.sql.DataSourceDefinition;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
/*@DataSourceDefinition(
name = "java:jboss/datasources/LoginDS",
user = "sa",
password = "sa",
className = "org.h2.jdbcx.JdbcDataSource",
url = "jdbc:h2:tcp://localhost/mem:test"
)*/
@DataSourceDefinition(
name = "java:jboss/datasources/LoginDS",
user = "sa",
password = "VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0",
className = "org.h2.jdbcx.JdbcDataSource",
url = "jdbc:h2:tcp://localhost/mem:test"
)
@WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" }, loadOnStartup = 1)
public class MyTestServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Resource(lookup = "java:jboss/datasources/LoginDS")
private DataSource ds;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
Writer writer = resp.getWriter();
writer.write((ds != null) + "");
}
}
Note that I have commented out one @DataSourceDefinition annotation. That includes the clear text database password. In this example, we use the H2 database that is available for use in JBoss AS7.1
The uncommented @DataSourceDefinition contains the masked password via the vault.
h
anil at localhost:~/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/bin$ sh util/vault.sh
=========================================================================
JBoss Vault
JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT
JAVA: /opt/java/jdk1.6.0_23/bin/java
VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/security/main/*
=========================================================================
**********************************
**** JBoss Vault ********
**********************************
Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
0
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password:
Enter Keystore password again:
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):25
Please make note of the following:
********************************************
Masked Password:MASK-DjeJRxMmsyt
salt:12345678
Iteration Count:25
********************************************
Enter Keystore Alias:vault
Jan 11, 2012 1:02:37 PM org.jboss.security.vault.SecurityVaultFactory get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Jan 11, 2012 1:02:38 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: Default Security Vault Implementation Initialized and Ready
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
0
Task: Store a password
Please enter attribute value:
Please enter attribute value again:
Values match
Enter Vault Block:DS
Enter Attribute Name:thePass
Attribute Value for (DS, thePass) saved
Please make note of the following:
********************************************
Vault Block:DS
Attribute Name:thePass
Shared Key:OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0
Configuration should be done as follows:
VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0
********************************************
Please enter a Digit:: 0: Store a password 1: Check whether password exists 2: Exit
2
anil at localhost:~/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/bin$
I entered "sa" for the attribute value.
I entered "vault22" for keystore password
My standalone/configuration/standalone.xml contains the following
<?xml version='1.0' encoding='UTF-8'?>
<server name="localhost.sadbhav" xmlns="urn:jboss:domain:1.1" xmlns:xsd="http://www.w3.org/2001/XMLSchema-instance">
<extensions>
...
</extensions>
<vault>
<vault-option name="KEYSTORE_URL" value="${user.home}/vault/vault.keystore"/>
<vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
<vault-option name="KEYSTORE_ALIAS" value="vault"/>
<vault-option name="SALT" value="12438567"/>
<vault-option name="ITERATION_COUNT" value="50"/>
<vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
</vault>
<management> ....
When I go to the web application, http://localhost:8080/vaulterror-web-1.0-SNAPSHOT/my/ http://localhost:8080/vaulterror-web-1.0-SNAPSHOT/my/
I get the value "true".
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17472]
Create a new document in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120111/0622c9ef/attachment.html
More information about the jboss-dev-forums
mailing list