Hi
I feel your requirements are wide. I feel I will not have enough time.
I just put how to use what I did to get secure passwords. You have to
incorporate these changes into what you have done. I am sorry; I will
not have time to do these for this release to cater each requirement
of you. But, I will definitely do this for next release.
I hope following will help.
Please Note: You have to follow - Synapse_Samples_Setup.html under
section Securing Password and Setting up Synapse DataSources
VFS listener case
<parameter name="transport.vfs.password>alias password</parameter>
<parameter
name="transport.vfs.passwordProvider>org.apache.synapse.security.secret.handler.SecretManagerSecretCallbackHandler
</parameter>
And considering that above two properties has been resolved and create
an instance of SecretCallbackHandler as bellow.
SecretCallbackHandler passwordProvider =
SecretCallbackHandlerFactorycreateSecretCallbackHandler(provider);
Then the method similar to flowing (method is from
‘DataSourceInformation.java’) , can be used to get actual password.
/**
* Get actual password based on SecretCallbackHandler and alias password
* If SecretCallbackHandler is null, then returns alias password
* @return Actual password
*/
public String getResolvedPassword() {
if (passwordProvider != null) {
if (aliasPassword != null && !"".equals(aliasPassword)) {
SecretLoadingModule secretLoadingModule = new
SecretLoadingModule();
secretLoadingModule.init(new
SecretCallbackHandler[]{passwordProvider});
SingleSecretCallback secretCallback =
new
SingleSecretCallback(DataSourceConfigurationConstants.PROMPT,
aliasPassword);
SecretCallback[] secretCallbacks = new
SecretCallback[]{secretCallback};
secretLoadingModule.load(secretCallbacks);
return secretCallback.getSecret();
}
}
return aliasPassword;
}
To resolved many passwords, it can be used logic something similar to
bellow(This code from ‘SecretManager.java’).
String identityStorePass;
String identityKeyPass;
String trustStorePass;
// Creating required password class backs
SingleSecretCallback trustStorePassSecretCallback
= new SingleSecretCallback(TRUSTSTORE_PASSWORD_PROMPT,
TRUSTSTORE_PASSWORD_ID);
SingleSecretCallback identityStorePassSecretCallback
= new SingleSecretCallback(IDENTITYSTORE_PASSWORD_PROMPT,
IDENTITYSTORE_PASSWORD_ID);
SingleSecretCallback identityKeyPassSecretCallback
= new
SingleSecretCallback(IDENTITYSTORE_PRIVATE_KEY_PASSWORD_PROMPT,
IDENTITYSTORE_PRIVATE_KEY_PASSWORD_ID);
// Group all as a one callback
MultiSecretCallback callback = new MultiSecretCallback();
callback.addSecretCallback(trustStorePassSecretCallback);
callback.addSecretCallback(identityStorePassSecretCallback);
callback.addSecretCallback(identityKeyPassSecretCallback);
SecretCallback[] secretCallbacks = new SecretCallback[]{callback};
// Create and initiating SecretLoadingModule
SecretLoadingModule secretLoadingModule = new SecretLoadingModule();
secretLoadingModule.init(new
SecretCallbackHandler[]{secretCallbackHandler});
//load passwords
secretLoadingModule.load(secretCallbacks);
identityKeyPass = identityKeyPassSecretCallback.getSecret();
identityStorePass = identityStorePassSecretCallback.getSecret();
trustStorePass = trustStorePassSecretCallback.getSecret();
Thanks
Indika
On Mon, Apr 6, 2009 at 10:04 AM, Kim Horn <[email protected]> wrote:
> OK that would be great, note we are also doing it using a class mediator for
> HTTP Transport and WS_Security.
>
> Thanks
> Kim
>
> -----Original Message-----
> From: indika kumara [mailto:[email protected]]
> Sent: Monday, 6 April 2009 2:24 PM
> To: [email protected]
> Subject: Re: Can VFS SFTP Passwords be encrypted
>
> How to secure password in data sources is in document -
> Synapse_Samples_Setup.html under section Securing Password and Setting
> up Synapse DataSources . I will try to add this to VFS too.
>
> Indika
>
> On Mon, Apr 6, 2009 at 7:28 AM, Kim Horn <[email protected]> wrote:
>> Are these security fixes for Data source going into 1.3 ?
>> If not then an interim hack really needs to be done; we just cannot use
>> Synapse at all with passwords in Clear Text.
>> Suggestions:
>>
>> 1) Implement an interface that does de-cryption; so user can supply
>> Their own code whatever that is. So specify a decrypt method that takes a
>> string and returns a string.
>>
>> 2) To fix Data sources add a parameter:
>> <decryption-class>class-Name</ decryption-class>
>> - this takes the supplied password in current <password> tag and gets the
>> decrypted password from class above.
>>
>> 3) To fix VFS need to supply new set of URL options:
>> <host-path>host-name:port/path</host-path>
>> <user>synapse</user>
>> <password>encrypted-password</password>
>> <decryption-class>class-Name</ decryption-class>
>>
>> - given the above the current <parameter name="transport.vfs.FileURI"> can
>> be built.
>> To be consistent with the strange VFS parameters the above can be changed to
>> something like:
>>
>> <parameter name="transport.vfs.hostPath>host-name:port/path</parameter>
>> <parameter name="transport.vfs.user>username</parameter>
>> <parameter name="transport.vfs.password>encrypted-password</parameter>
>> <parameter name="transport.vfs.decryptionClass>class-Name</parameter>
>>
>>
>> If people agree to this I will create a Jira and start to do the work.
>>
>>
>> Kim
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Andreas Veithen [mailto:[email protected]]
>> Sent: Friday, 3 April 2009 5:54 AM
>> To: [email protected]
>> Subject: Re: Can VFS SFTP Passwords be encrypted
>>
>> I agree that it should be possible to use all Synapse features without
>> having to store cleartext passwords in the config files (and without
>> having them appear in log files).
>>
>> Just some random ideas about this topic:
>>
>> * Indika implemented a mechanism for exactly this, but for the moment
>> this is limited to data sources. There is some documentation about
>> this feature, but it is somewhat hidden in the Sample Setup guide. We
>> should have this documentation in a more prominent place. Maybe as a
>> subsection in the new Deployment guide?
>>
>> * As an alternative to usernames and passwords encoded in URLs,
>> Commons VFS supports authentication by passing a
>> org.apache.commons.vfs.UserAuthenticator object to the file system
>> provider. Maybe we should define a property in the message context to
>> allow to pass such an object to the transport. Alternatively we could
>> write an adapter so that we can handle e.g. HTTPS and VFS
>> authentication in the same way.
>>
>> * We should then have a mediator that builds the UserAuthenticator
>> using the password encryption mechanisms implemented by Indika.
>>
>> Any thoughts?
>>
>> Andreas
>>
>> On Thu, Apr 2, 2009 at 00:34, Kim Horn <[email protected]> wrote:
>>> It may, we are given simple text passwords by systems we have to
>>> interface too. FTP is still the largest B2B mechanism in the US :-). We
>>> cannot ask them to supply us anything else but a simple
>>> username/password; this is the reality of B2B. The only issue we have
>>> is that these are not kept in clear text in script files. In our domain
>>> this is illegal and in all other domains bad practise. So all we
>>> require is to be able to have these encrypted in any script files. I
>>> think this Jira suggests a stronger mechanism, sharing keys between SFTP
>>> servers, but is totally impractical in real world B2B.
>>>
>>>
>>> Kim
>>>
>>> -----Original Message-----
>>> From: Asankha Perera [mailto:[email protected]] On Behalf Of
>>> Asankha C. Perera
>>> Sent: Thursday, 2 April 2009 3:48 AM
>>> To: [email protected]
>>> Subject: Re: Can VFS SFTP Passwords be encrypted
>>>
>>> Hi Jay / Kim
>>>> A suggestion. SFTP can use PKI shared keys for authentication. The
>>> keys are host+user specific.
>>>>
>>>> I am not familiar enough with Synapse to know exactly how you'd go
>>> about it, but I do suggest that the answer lies in using PKI.
>>>>
>>> I guess https://issues.apache.org/jira/browse/SYNAPSE-507 is a proper
>>> solution for this.. and possibly we could already tweak VFS to do this..
>>>
>>> cheers
>>> asankhaa
>>>
>>> --
>>> Asankha C. Perera
>>> AdroitLogic, http://adroitlogic.org
>>>
>>> http://esbmagic.blogspot.com
>>>
>>>
>>>
>>>
>>>
>>
>
