Scott M Stark wrote:
> MD5 is available in Java2 with the bundled sun security provider. You can
> create the MD5 hash and use it in place of the clear text password. MD5
> is a one-way hash so you can't recover the clear text password. None of the
> resources you've listed below will accept an MD5 hash in place of the clear
> text password as far as I know. So how do you intend to use it?
Oops. Sometimes I really don't think things through. This is
absolutely true, and I *DID* know this before I sent the message. I was
just so focused on patching the code to handle it, I didn't think about
the "receiving end" service. :-/ Sorry 'bout that, and thanks for
pointing out my dumb mistake.
> You probably need a key store like java.security.KeyStore, but this leads to a
> chicken and egg problem as you need a passphrase to obtain the encrypted keys
> from the KeyStore. You could rely on operating system specific security
> like only the user id used to run the app server could load the KeyStore file
> and simply use an empty or well know passphrase that you don't care about
> being know because it is not what is securing the file. I have been thinking about
> how to add support for this but I have not come up with something I like as yet.
Of course, then why not just make the jboss.jcml file readable only by
that user ID. I see your point ...
> As far as not transmitting clear text passwords, this is somewhat out of the hands
> of JBoss in general as what your talking to has to either support SSL or accept
> an encrypted/hashed password. This is definitely not true for all JDBC, JMS,
> JNDI, ... etc resource factories.
Right again. I'm going to have to have our professional services group
push back on the customer for this. Thanks for straightening me out.
++Jeff
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
