Re: [JBoss-dev] Passwords / XADataSourceLoader

Mon, 09 Apr 2001 12:55:13 -0700 

MD5 is available in Java2 with the bundled sun security provider. You can
create the MD5 hash and use it in place of the clear text password. MD5
is a one-way hash so you can't recover the clear text password. None of the
resources you've listed below will accept an MD5 hash in place of the clear
text password as far as I know. So how do you intend to use it?

You probably need a key store like java.security.KeyStore, but this leads to a
chicken and egg problem as you need a passphrase to obtain the encrypted keys
from the KeyStore. You could rely on operating system specific security
like only the user id used to run the app server could load the KeyStore file
and simply use an empty or well know passphrase that you don't care about
being know because it is not what is securing the file. I have been thinking about
how to add support for this but I have not come up with something I like as yet.

As far as not transmitting clear text passwords, this is somewhat out of the hands
of JBoss in general as what your talking to has to either support SSL or accept
an encrypted/hashed password. This is definitely not true for all JDBC, JMS,
JNDI, ... etc resource factories.


----- Original Message ----- 
From: "Jeffrey Wescott" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "engleads" <[EMAIL PROTECTED]>
Sent: Monday, April 09, 2001 11:57 AM
Subject: [JBoss-dev] Passwords / XADataSourceLoader


> Hey, all.
> 
> We are in the beginning stages of a deployment at a customer site.  We 
> (obviously, or why would I post here) are deploying our application on 
> top of jBoss 2.1 BETA.  One of the IT requirements at this customer is 
> that no passwords can be stored or transmitted in the clear.  As such, 
> we need to MD5 (or otherwise encrypt) all of the passwords in 
> jboss.jcml.  There are three that I know of:
> 
>    1. XADataSourceLoader
>    2. ConnectionFactoryLoader
>    3. MailService
>       
> My question is the following: How and where in the code can I enable 
> support for MD5 (or otherwise encrypted) passwords?
> 
> ++Jeff
> 
> 
> _______________________________________________
> Jboss-development mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-development
> 


_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to