[jboss-jira] [JBoss JIRA] Reopened: (JBAS-8353) PATCH: Support obfuscated System Properties

Jason Greene (JIRA) jira-events at lists.jboss.org
Thu Apr 21 14:26:49 EDT 2011 

     [ https://issues.jboss.org/browse/JBAS-8353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jason Greene reopened JBAS-8353:
--------------------------------



Due to feedback from the community, I have split the AS7 and AS6 projects and reopened all unscheduled AS6 issues that are a year or less old. This will make it easier community members to find and work on them.

Future releases beyond 6.1 can be done provided a community member steps up to coordinate them.

> PATCH: Support obfuscated System Properties
> -------------------------------------------
>
>                 Key: JBAS-8353
>                 URL: https://issues.jboss.org/browse/JBAS-8353
>             Project: Legacy JBoss Application Server 6 
>          Issue Type: Patch
>      Security Level: Public(Everyone can see) 
>         Environment: ALL
>            Reporter: Andrew Oliver
>            Assignee: Andrew Oliver
>            Priority: Minor
>             Fix For: No Release
>
>         Attachments: jbosssx.jar, jbosssx.jar, patch, patch-50, patch.jar, properties-service.xml, run.conf, test.properties
>
>
> when you put -Djboss.sysprop.obfuscation=true in your run.conf JBOSS_OPTS, the SecurityIdentityLoginModule decode function is used to decode properties ending in _OBFUSCATED
> i.e.
> server/default/conf/test.properties
> mypassword_OBFUSCATED=5dfc52b51bd35553df8592078de921bc
> server/default/deploy/properties-service.xml
>   <mbean code="org.jboss.varia.property.SystemPropertiesService" 
>          name="jboss:type=Service,name=SystemProperties">
>     <attribute name="URLList">
>       ./conf/test.properties
>     </attribute>
>  </mbean>
> then in your System.getProperties you have:
> mypassword	password
> mypassword_OBFUSCATED	5dfc52b51bd35553df8592078de921bc
> So you can then use those properties in your config files with ${mypassword}
> you can use the same tool in: http://community.jboss.org/wiki/EncryptingDataSourcePasswords to obfuscate passwords in the property file...
> This helps you pass dumb security audits that require you to do dumb things that have nothing to do with security but fake security through needless labor is an industry standard that we have to live with.  

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list