EncryptingDataSourcePasswords
来源:互联网 发布:mac地址上网ip 编辑:程序博客网 时间:2024/06/05 08:33
EncryptingDataSourcePasswords
A simple login module for encrypting a datasource password
The org.jboss.resource.security.SecureIdentityLoginModule from jboss-jca.jar can be used to encrypt database passwords rather than using clear text passwords in the datasource configuration. It uses a hard-coded password to encrypt/decrypt the datasource password. You can encrypt the datasource password using the SecureIdentityLoginModule main method by passing in the cleartext password, here shown as 'password':
JBoss 4.0.x (Win)
$ java -cp "lib/jboss-jmx.jar;lib/jboss-common.jar;server/default/lib/jboss-jca.jar;server/default/lib/jbosssx.jar" org.jboss.resource.security.SecureIdentityLoginModule password
Encoded password: 5dfc52b51bd35553df8592078de921bc
The datasource *-ds.xml should then not use the user-name and password settings, and instead specify the security-domain that maps to the login-config.xml entry for the SecureIdentityLoginModule config.
<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:oracle:thin:@dev-db:1000:abc</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<blocking-timeout-millis>5000</blocking-timeout-millis>
<idle-timeout-minutes>15</idle-timeout-minutes>
<max-pool-size>20</max-pool-size>
<min-pool-size>10</min-pool-size>
<!-- Use the security domain defined in conf/login-config.xml -->
<security-domain>EncryptDBPassword</security-domain>
</local-tx-datasource>
</datasources>
The login-config.xml entry for the EncryptDBPassword? would look like:
<policy>
<!-- Example usage of the SecureIdentityLoginModule -->
<application-policy name = "EncryptDBPassword">
<authentication>
<login-module code = "org.jboss.resource.security.SecureIdentityLoginModule"
flag = "required">
<module-option name = "username">admin</module-option>
<module-option name = "password">5dfc52b51bd35553df8592078de921bc</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>
</policy>
If you use a xa-datasource then the module-option name="managedConnectionFactoryName" should be:
<module-option name = "managedConnectionFactoryName">jboss.jca:service=XATxCM,name=DefaultDS</module-option>
A KeyStore? based login module for encrypting a datasource password
The org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule? is a login module for statically defining a data source username and password that uses a password that has been ecrypted by a JaasSecurityDomain. The base64 format of the data source password may be generated using the PBEUtils command:
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils salt count
domain-password data-source-password
The PBEUtils command args are:
salt : the Salt attribute from the JaasSecurityDomain
count : the IterationCount? attribute from the JaasSecurityDomain
domain-password : the plaintext password that maps to the KeyStorePass? attribute from the JaasSecurityDomain
data-source-password : the plaintext password for the data source that should be encrypted with the JaasSecurityDomain password
for example:
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master ''
Encoded password: E5gtGMKcXPP
A sample login-config.xml configuration entry would be:
<application-policy name = "EncryptedHsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
flag = "required">
<module-option name = "username">sa</module-option>
<module-option name = "password">E5gtGMKcXPP</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
<module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
</login-module>
</authentication>
</application-policy>
The docs/examples/jca/hsqldb-encrypted-ds.xml illustrates that datasource configuration along with the JaasSecurityDomain configuration for the keystore:
<?xml version="1.0" encoding="UTF-8"?>
<!-- The Hypersonic embedded database JCA connection factory config
that illustrates the use of the JaasSecurityDomainIdentityLoginModule
to use encrypted password in the data source configuration.
$Id: hsqldb-encrypted-ds.xml,v 1.1.2.1 2004/06/04 02:20:52 starksm Exp $ -->
<datasources>
<local-tx-datasource>
<!-- The jndi name of the DataSource, it is prefixed with java:/ -->
<!-- Datasources are not available outside the virtual machine -->
<jndi-name>DefaultDS</jndi-name>
<!-- for tcp connection, allowing other processes to use the hsqldb
database. This requires the org.jboss.jdbc.HypersonicDatabase mbean.
<connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url>
-->
<!-- for totally in-memory db, not saved when jboss stops.
The org.jboss.jdbc.HypersonicDatabase mbean necessary
<connection-url>jdbc:hsqldb:.</connection-url>
-->
<!-- for in-process persistent db, saved when jboss stops. The
org.jboss.jdbc.HypersonicDatabase mbean is necessary for properly db shutdown
-->
<connection-url>jdbc:hsqldb:${jboss.server.data.dir}${/}hypersonic${/}localDB</connection-url>
<!-- The driver class -->
<driver-class>org.hsqldb.jdbcDriver</driver-class>
<!--example of how to specify class that determines if exception means connection should be destroyed-->
<!--exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.DummyExceptionSorter</exception-sorter-class-name-->
<!-- this will be run before a managed connection is removed from the pool for use by a client-->
<!--<check-valid-connection-sql>select * from something</check-valid-connection-sql> -->
<!-- The minimum connections in a pool/sub-pool. Pools are lazily constructed on first use -->
<min-pool-size>5</min-pool-size>
<!-- The maximum connections in a pool/sub-pool -->
<max-pool-size>20</max-pool-size>
<!-- The time before an unused connection is destroyed -->
<!-- NOTE: This is the check period. It will be destroyed somewhere between 1x and 2x this timeout after last use -->
<!-- TEMPORARY FIX! - Disable idle connection removal, HSQLDB has a problem with not reaping threads on closed connections -->
<idle-timeout-minutes>0</idle-timeout-minutes>
<!-- sql to call when connection is created
<new-connection-sql>some arbitrary sql</new-connection-sql>
-->
<!-- sql to call on an existing pooled connection when it is obtained from pool
<check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
-->
<!-- example of how to specify a class that determines a connection is valid before it is handed out from the pool
<valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.DummyValidConnectionChecker</valid-connection-checker-class-name>
-->
<!-- Whether to check all statements are closed when the connection is returned to the pool,
this is a debugging feature that should be turned off in production -->
<track-statements/>
<!-- Use the getConnection(user, pw) for logins
<application-managed-security/>
-->
<!-- Use the security domain defined in conf/login-config.xml -->
<security-domain>EncryptedHsqlDbRealm</security-domain>
<!-- This mbean can be used when using in process persistent hypersonic -->
<depends>jboss:service=Hypersonic,database=localDB</depends>
</local-tx-datasource>
<!-- The JaasSecurityDomain used for encryption. Use the name
"jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword"
as the value of the JaasSecurityDomainIdentityLoginModule
jaasSecurityDomain login module option in the EncryptedHsqlDbRealm
login-config.xml section. Typically this service config should be in
the conf/jboss-service.xml descriptor.
The opaque master.password file could be created using:
java -cp jbosssx.jar org.jboss.security.plugins.FilePassword 12345678 17 master server.password
The corresponding login-config.xml would look like:
<application-policy name = "EncryptedHsqlDbRealm">
<authentication>
<login-module code = "org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule"
flag = "required">
<module-option name = "username">sa</module-option>
<module-option name = "password">E5gtGMKcXPP</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
<module-option name = "jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>
</login-module>
</authentication>
</application-policy>
where the encrypted password was generated using:
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils abcdefgh 13 master ''
Encoded password: E5gtGMKcXPP
-->
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>
<!-- The opaque master password file used to decrypt the encrypted
database password key -->
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">abcdefgh</attribute>
<attribute name="IterationCount">13</attribute>
</mbean>
<!-- This mbean can be used when using in process persistent db -->
<mbean code="org.jboss.jdbc.HypersonicDatabase"
name="jboss:service=Hypersonic,database=localDB">
<attribute name="Database">localDB</attribute>
<attribute name="InProcessMode">true</attribute>
</mbean>
</datasources>
- EncryptingDataSourcePasswords
- Jboss配置之数据源密码配置密文--EncryptingDataSourcePasswords
- 辛酸程序员(诗一首)
- 如何使用ajax开发web应用程序(2)
- 关于JBoss封装数据源访问的用户密码
- 得到一个网页的所有herf 链接代码
- 如何使用ajax开发web应用程序(3)
- EncryptingDataSourcePasswords
- 递规写个小存储过程
- SQLServer2000的数据库容量是多大
- eclipse+tomcat+lomboz的安装与配置
- 进程切换问题
- 本性
- 验证码定时自动刷新
- Spring AOP实际应用一例
- 最小点基的模块代码