[security-dev] Password masking/clear text
Rodney Russ
rruss at redhat.com
Thu Mar 14 17:02:38 EDT 2013
I would think migrating from PicketBox to PicketLink would make sense to simplify things moving forward (i.e. all your security needs are fulfilled by PL).
----- "Anil Saldhana" <Anil.Saldhana at redhat.com> wrote:
> Hi All,
>
> *Background* :-
> almost all projects have a password that need to be configured in a
>
> configuration file or needs to be set as a value in an annotation.
> Nobody likes to see cleartext passwords.
>
> *What we did until now* :-
> Since encryption/decryption requires a symmetric key and it is a pain
> to
> manage symmetric keys, we have used Password Based Encryption (PBE)
> which is not bullet proof encryption but a low grade attempt at
> masking
> the passwords.
> PicketBox historically had the PBE utility classes.
> PicketBox4 has the Vault interface/default implementation that was
> placed into AS7. The Vault uses AES encryption to encrypt the
> passwords
> using a Java Keystore. But it uses a weak link ( PBE to mask the
> password to the keystore).
>
> Why we need to think about this? :-
> JBoss Community projects either run standalone (sometime may need to
> run
> of different App Servers) or run in JBoss AS. An example would be
> Drools
> Management (aka BRMS). If the project runs on JBossAS, you should be
>
> using the vault facility to mask the passwords.
>
> What do we do with standalone projects for the future?
> a) We can ask them to download the picketbox library as dependency and
>
> build on the vault SPI or
> b) Migrate the vault from PicketBox to PicketLink going forward.
>
> Thoughts?
>
> Regards,
> Anil
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list