On Tue, Apr 10, 2001 at 10:09:41AM -0700, Jeffrey Wescott wrote:
>
> Toby Allsopp wrote:
>
> > Hi. First, this is question for the jboss-user list. This list is for
> > discussion of the development of JBoss itself.
>
> Uh-huh. To quote myself "... where IN THE CODE can I ...". I didn't
> think that the JBoss user list would be intimately familiar with the
> JBoss source code. I really do feel pretty strongly that my
> (admittedly, stupid -- see below) question was appropriate for the
> development list. I meant to find out how to change the JBoss source to
> enhance security ...
Ah, I apologise for the misunderstanding. I thought you were referring to
your code. My bad.
> >> We are in the beginning stages of a deployment at a customer site. We
> >> (obviously, or why would I post here) are deploying our application on
> >> top of jBoss 2.1 BETA. One of the IT requirements at this customer is
> >> that no passwords can be stored or transmitted in the clear. As such,
> >> we need to MD5 (or otherwise encrypt) all of the passwords in
> >> jboss.jcml. There are three that I know of:
> >>
> >> 1. XADataSourceLoader
> >> 2. ConnectionFactoryLoader
> >> 3. MailService
> >>
> >> My question is the following: How and where in the code can I enable
> >> support for MD5 (or otherwise encrypted) passwords?
> >
> >
> > Gah! I just had this argument at work. The services you are sending the
> > passwords to require the clear text, so you must be able to decrypt the
> > passwords before sending them. So, where do you store the decryption key?
>
> Agreed, it's a tricky problem with no simple solution. The best we
> could do would be to "reversibly hash" the password and then de-hash it
> before it was sent. This, in my opinion, is no better than cleartext,
> but our customer may disagree.
Well, if all you want is some snake-oil security-by-obscurity then it should
be trivial to rot-13 the passwords. Just modify the setPassword methods
in the MBeans you're interested in.
> Thanks for your help.
That's charitable of you :-).
Toby.
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
