[security-dev] Password masking/clear text

Anil Saldhana Anil.Saldhana at redhat.com
Thu Mar 14 11:59:08 EDT 2013


Hi All,

*Background* :-
   almost all projects have a password that need to be configured in a 
configuration file or needs to be set as a value in an annotation. 
Nobody likes to see cleartext passwords.

*What we did until now* :-
Since encryption/decryption requires a symmetric key and it is a pain to 
manage symmetric keys, we have used Password Based Encryption (PBE) 
which is not bullet proof encryption but a low grade attempt at masking 
the passwords.
PicketBox historically had the PBE utility classes.
PicketBox4 has the Vault interface/default implementation that was 
placed into AS7. The Vault uses AES encryption to encrypt the passwords 
using a Java Keystore. But it uses a weak link ( PBE to mask the 
password to the keystore).

Why we need to think about this? :-
JBoss Community projects either run standalone (sometime may need to run 
of different App Servers) or run in JBoss AS. An example would be Drools 
Management (aka BRMS).  If the project runs on JBossAS, you should be 
using the vault facility to mask the passwords.

What do we do with standalone projects for the future?
a) We can ask them to download the picketbox library as dependency and 
build on the vault SPI or
b) Migrate the vault from PicketBox to PicketLink going forward.

Thoughts?

Regards,
Anil


More information about the security-dev mailing list