[jboss-jira] [JBoss JIRA] Closed: (JBAS-2895) Extend SecureIdentityLoginModule to externalize the secret

Scott M Stark (JIRA) jira-events at jboss.com
Mon Jan 22 03:13:53 EST 2007 

     [ http://jira.jboss.com/jira/browse/JBAS-2895?page=all ]

Scott M Stark closed JBAS-2895.
-------------------------------

    Resolution: Done

A new org.jboss.resource.security.PBEIdentityLoginModule has been added extends the SecureIdentityLoginModule to provide control over the masking password and cipher.

wiki info:

!! Configured Identity with Password Based Encryption

An extension to configured identity that uses a credential that is encrypted using a PBE cipher.

Example login-module.xml entries are:
{{{
   <application-policy name = "testPBEIdentityLoginModule">
      <authentication>
         <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
            flag = "required">
            <module-option name = "principal">sa</module-option>
            <module-option name = "userName">sa</module-option>
            <!--
            output from:
               org.jboss.resource.security.PBEIdentityLoginModule
               thesecret testPBEIdentityLoginModule abcdefgh 19 PBEWithMD5AndDES 
            -->
            <module-option name = "password">3fp7R/7TMjyTTxhmePdJVk</module-option>
            <module-option name = "ignoreMissigingMCF">true</module-option>
            <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
            <module-option name = "pbepass">testPBEIdentityLoginModule</module-option>
            <module-option name = "salt">abcdefgh</module-option>
            <module-option name = "iterationCount">19</module-option>
            <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
         </login-module>
      </authentication>
   </application-policy>
   <application-policy name = "testPBEIdentityLoginModuleTmpFilePassword">
      <authentication>
         <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
            flag = "required">
            <module-option name = "principal">sa</module-option>
            <module-option name = "userName">sa</module-option>
            <!--
               output from:
               org.jboss.resource.security.PBEIdentityLoginModule
               thesecret2 testPBEIdentityLoginModuleTmpFilePassword abcdefgh 19 PBEWithMD5AndDES 
            -->
            <module-option name = "password">2zff525DS/OgTuWuJtHYHa</module-option>
            <module-option name = "ignoreMissigingMCF">true</module-option>
            <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
            <module-option name = "pbepass">{CLASS}org.jboss.security.plugins.TmpFilePassword:${java.io.tmpdir}/tmp.password,5000</module-option>
            <module-option name = "salt">abcdefgh</module-option>
            <module-option name = "iterationCount">19</module-option>
            <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
         </login-module>
      </authentication>
   </application-policy> 
}}}

This uses password based encryption (PBE) with algorithm parameters dervived from pbealgo, pbepass, salt, iterationCount options:
* pbealgo - the PBE algorithm to use. Defaults to PBEwithMD5andDES.
* pbepass - the PBE password to use. Can use the JaasSecurityDomain {CLASS}
 and {EXT} syntax to obtain the password from outside of the configuration.
 Defaults to "jaas is the way".
* salt - the PBE salt as a string. Defaults to {1, 7, 2, 9, 3, 11, 4, 13}.
* iterationCount - the PBE iterationCount. Defaults to 37.



> Extend SecureIdentityLoginModule to externalize the secret
> ----------------------------------------------------------
>
>                 Key: JBAS-2895
>                 URL: http://jira.jboss.com/jira/browse/JBAS-2895
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: JCA service, Security
>    Affects Versions: JBossAS-4.0.3 SP1, JBossAS-3.2.8 Final
>            Reporter: Scott M Stark
>         Assigned To: Scott M Stark
>             Fix For: JBossAS-4.2.0.CR1
>
>
> The SecureIdentityLoginModule is a simple security by obscurity approach to hiding the jca password. Having the secret used by the PBE externalized with an ability to hash it reversibly would make this more flexible.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list