[jboss-jira] [JBoss JIRA] Updated: (JBAS-8353) PATCH: Support obfuscated System Properties

Andrew Oliver (JIRA) jira-events at lists.jboss.org
Fri Aug 20 16:18:12 EDT 2010 

     [ https://jira.jboss.org/browse/JBAS-8353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Oliver updated JBAS-8353:
--------------------------------

    Attachment: run.conf


example run.conf adding the required property

> PATCH: Support obfuscated System Properties
> -------------------------------------------
>
>                 Key: JBAS-8353
>                 URL: https://jira.jboss.org/browse/JBAS-8353
>             Project: JBoss Application Server
>          Issue Type: Patch
>      Security Level: Public(Everyone can see) 
>         Environment: ALL
>            Reporter: Andrew Oliver
>            Assignee: Andrew Oliver
>            Priority: Minor
>         Attachments: jbosssx.jar, jbosssx.jar, patch, patch.jar, properties-service.xml, run.conf, test.properties
>
>
> when you put -Djboss.sysprop.obfuscation=true in your run.conf JBOSS_OPTS, the SecurityIdentityLoginModule decode function is used to decode properties ending in _OBFUSCATED
> i.e.
> server/default/conf/test.properties
> mypassword_OBFUSCATED=5dfc52b51bd35553df8592078de921bc
> server/default/deploy/properties-service.xml
>   <mbean code="org.jboss.varia.property.SystemPropertiesService" 
>          name="jboss:type=Service,name=SystemProperties">
>     <attribute name="URLList">
>       ./conf/test.properties
>     </attribute>
>  </mbean>
> then in your System.getProperties you have:
> mypassword	password
> mypassword_OBFUSCATED	5dfc52b51bd35553df8592078de921bc
> So you can then use those properties in your config files with ${mypassword}
> you can use the same tool in: http://community.jboss.org/wiki/EncryptingDataSourcePasswords to obfuscate passwords in the property file...
> This helps you pass dumb security audits that require you to do dumb things that have nothing to do with security but fake security through needless labor is an industry standard that we have to live with.  

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list