Oracle XA Datasource password encryption (doc bug?)

Thu, 11 Aug 2016 13:16:54 -0700 

Not sure whether this falls under wrong documentation or incorrect behavior, 
but I found the existing docs for setting up encrypted database passwords for 
Oracle XA datasources don't work in TomEE 7.0.1.

My goal is to use a custom PasswordCipher since we have apps with encrypted 
passwords for a legacy application server.  It would be convenient to enable 
using the existing encrypted password strings without having to decrypt / 
re-encrypt them.  I wrote a custom PasswordCipher, created META-INF entries, 
and setup the resources.xml entries as described in 
http://tomee.apache.org/examples-trunk/datasource-ciphered-password/README.html.

1) Created my.package.PasswordCipher, implements 
org.apache.openejb.cipher.PasswordCipher.

2) Added META-INF/org.apache.openejb.cipher.PasswordCipher/mycipher which 
contains my.package.PasswordCipher, ensured that and the class are in a JAR in 
lib.

3) resource.xml contains:
  <Resource id="myPool" type="DataSource">
    JdbcDriver oracle.jdbc.xa.client.OracleXADataSource
    JdbcUrl jdbc:...
    User mewho
    Password Y2hhbmdlbWU=
    PasswordCipher mycipher
    InitialSize 10
    MaxActive 50
    MaxIdle 10
    MaxWait 15000
    ValidationQuery "SELECT sysdate FROM DUAL"
    TestOnBorrow true
    TestOnReturn true
    TestWhileIdle true
    TimeBetweenEvictionRunsMillis 60000
    AccessToUnderlyingConnectionAllowed true
    JtaManaged true
  </Resource>

The password was never decrypted in this case.  I verified with both debugger 
breakpoints & System.out's that my PasswordCipher's decrypt method was never 
called.

I had to remove Password & PasswordCipher from the Resource and use 
"VaultPassword cipher:mycipher:Y2hhbmdlbWU=" instead.  That works.

I've run into other situations where Oracle XA seems to behave a little 
differently than other datasource types in TomEE (including requiring "User" 
instead of "UserName" as the property key), though I'm not clear on why that is.

Is this something where the documentation needs an "except OracleXA" addition, 
a change in behavior in TomEE 7.0.1 (which I'm using) that the docs haven't 
caught up with, or a bug?

What I've got now looks like it works, but if it's not the "right" way, I'd 
prefer to change it and hopefully not end up broken at some point in the future.

Best regards,
Zac Bedell

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to