Well,
Alot of my datasources are loaded on the fly...
I can't have the type in a password when jboss starts.
Also, when there are many differnet databases... it becomes unmanagable..
d.
-----Original Message-----
From: David Jencks [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 15, 2001 7:52 AM
To: [EMAIL PROTECTED]
Subject: Re: [JBoss-dev] DataSourceLoader...
Hi,
This discussion comes up in various places on various lists. Since you
don't mention otherwise I assume you are planning to decrypt in code
without manual intervention. As I understand the consensus is, Don't do
this. You need some code to unencrypt the password to send it to the db,
if someone can find your jboss.jcml file they can find the unencryption
code. Thus you have implemented only security by obscurity and only
succeeded in making life harder for the users and probably given them a
false sense of security, encouraging carelessness that a determined hacker
can exploit.
Secrets and Lies by Bruce Schneier is fun to read and explains this really
well.
If you want more security yet don't want to give each user their own
password and have per-subject pools, how about writing a
ConnectionFactoryLoader that pops up a password dialog on startup ( in
initService). It's inconvenient, but at least it doesn't try to fool
people into thinking their passwords are hidden. Of course, it could be
hard to figure out where to pop up the dialog...
How about simply encrypting all of jboss.jcml say using pgp and requiring a
manually entered password to unencrypt to start jboss?
In any case if you wish to modify the datasource loading procedure I
suggest you work on the jca resource adapter version since
{XA|JDBC}DataSourceLoader will not really exist in rh. (they will set up
connectionFactoryLoader mbeans).
david jencks
On 2001.08.14 19:12:14 -0400 "Ferguson, Doug" wrote:
> What do you guys think about implemented a version of the DataSource
> loader
> that
> allows for encrypted passwords?
>
> I am required to use encrypted db passwords..
> And I was thinking that even if I encrypt once I write the jboss.jcml
> It is now clear text again..
>
> d.
>
> _______________________________________________
> Jboss-development mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-development
>
>
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
