Re: [JBoss-dev] DataSourceLoader...

Thu, 16 Aug 2001 11:06:43 -0700 

What is ResourceAdapterName used for?

--jason


On Wed, 15 Aug 2001, David Jencks wrote:

> Hi,
>
> This discussion comes up in various places on various lists.  Since you
> don't mention otherwise I assume you are planning to decrypt in code
> without manual intervention.  As I understand the consensus is, Don't do
> this.  You need some code to unencrypt the password to send it to the db,
> if someone can find your jboss.jcml file they can find the unencryption
> code.  Thus you have implemented only security by obscurity and only
> succeeded in making life harder for the users and probably given them a
> false sense of security, encouraging carelessness that a determined hacker
> can exploit.
>
> Secrets and Lies by Bruce Schneier is fun to read and explains this really
> well.
>
> If you want more security yet don't want to give each user their own
> password and have per-subject pools, how about writing a
> ConnectionFactoryLoader that pops up a password dialog on startup ( in
> initService).  It's inconvenient, but at least it doesn't try to fool
> people into thinking their passwords are hidden.  Of course, it could be
> hard to figure out where to pop up the dialog...
>
> How about simply encrypting all of jboss.jcml say using pgp and requiring a
> manually entered password to unencrypt to start jboss?
>
> In any case if you wish to modify the datasource loading procedure I
> suggest you work on the jca resource adapter version since
> {XA|JDBC}DataSourceLoader will not really exist in rh. (they will set up
> connectionFactoryLoader mbeans).
>
> david jencks
>
> On 2001.08.14 19:12:14 -0400 "Ferguson, Doug" wrote:
> > What do you guys think about implemented a version of the DataSource
> > loader
> > that
> > allows for encrypted passwords?
> >
> > I am required to use encrypted db passwords..
> > And I was thinking that even if I encrypt once I write the jboss.jcml
> > It is now clear text again..
> >
> > d.
> >
> > _______________________________________________
> > Jboss-development mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/jboss-development
> >
> >
>
> _______________________________________________
> Jboss-development mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-development
>


_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to