Thanks Andrew - I'll take a look. After a bit of research, my current thoughts are: 1) Use JAAS - I need this anyway 2) Use jboss DatabaseServerLoginModule 3) encrypt password with md5 4) (d)encrypt other data with Password-based encryption from JCE within ejbLoad/ejbStore
The only downside of 4) is that once I have created the secret key from the user's password, I have to keep that key in the users session so I can (d)encrypt any data I need whilst they are logged in. This is okay so long as there's no memory dumps etc. I guess this is a normal scenario... This way - no one, not even sysadmin can read the sensitive data - right? I just need the source to DatabaseServerLoginModule so I can do md5 passwords - hopefully there's nothing in there to sink the plan. Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3822180#3822180 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3822180 ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
