I work for a security company and we are going to be delivering our next product on JBoss. Our secure coding requirements dictate that usernames and passwords cannot be left in clear text on the filesystem. We are using a DB2 datasource but we cannot have the username and password in the -ds.xml. I have seen the SecureLoginModule code, but it still shows the username in clear text, even though the password is encrypted. A further requirement wrinkle is that the customer is supposed to be able to change the username and password for the database at will, which makes the SecureLoginModule less attractive as a solution.
The solution that we (partially) came up was to remove the username and password from the -ds.xml file and to let the jboss create the datasource without these two elements. We then put the username and password into an encrypted properties file that is read and decrypted by a deployer MBean that we wrote. We have a custom utility for the customer to run to change these values and re-write the file when she wants. So far, so good. But now that we have the decrypted username and password in the deployer MBean, how do we go about adding these values to the jndi-existant datasource? I thought about looking up the datasource in jndi and adding the uname and pswd with a setUsername() and setPassword() mechanism, but datasource doesn't expose these methods. The ManagedConnectionFactory for the ds has a method for setting the uname and pswd, but is it enough to set them there and not on the ds itself? Would it make better sense to try and dynamically create the datasource in the deployer MBean after we have the uname and password from the encrypted prop file? Any help or suggestions would be greatly appreciated! David Heinecke View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3829671#3829671 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3829671 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
