[jboss-jira] [JBoss JIRA] Created: (JBAS-8353) PATCH: Support obfuscated System Properties

[Andrew Oliver (JIRA)]

PATCH: Support obfuscated System Properties
-------------------------------------------

                 Key: JBAS-8353
                 URL: https://jira.jboss.org/browse/JBAS-8353
             Project: JBoss Application Server
          Issue Type: Patch
      Security Level: Public (Everyone can see)
         Environment: ALL
            Reporter: Andrew Oliver
            Assignee: Andrew Oliver


when you put -Djboss.sysprop.obfuscation in your run.conf JBOSS_OPTS, the SecurityIdentityLoginModule decode function is used to decode properties ending in _OBFUSCATED

i.e.

server/default/conf/test.properties
mypassword_OBFUSCATED=5dfc52b51bd35553df8592078de921bc

server/default/deploy/properties-service.xml
  <mbean code="org.jboss.varia.property.SystemPropertiesService" 
         name="jboss:type=Service,name=SystemProperties">

    <attribute name="URLList">
      ./conf/test.properties
    </attribute>
 </mbean>

then in your System.getProperties you have:
mypassword	password
mypassword_OBFUSCATED	5dfc52b51bd35553df8592078de921bc

So you can then use those properties in your config files with ${mypassword}

you can use the same tool in: http://community.jboss.org/wiki/EncryptingDataSourcePasswords to obfuscate passwords in the property file...

This helps you pass dumb security audits that require you to do dumb things that have nothing to do with security but fake security through needless labor is an industry standard that we have to live with.  


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira