Custom JBoss DataSorurce password encryption?

Question

I'm working with JBoss 4.2.1GA.

As you might now there is a way to avoid having JBoss DataSoruce's password in plain text. However this technique has a fundamental security flaw which becomes obvious when you look at how org.jboss.resource.security.SecureIdentityLoginModule decode and encode methods are implemented. The encryption is basically a regular blowfish using a fixed secret key ("jaas is the way").

I'm looking for a way to either change the fixed secret key for one I pick or to change how the encryption/decryption is done.

I'm inclined to think that it can be done by reimplementing SecureIdentityLoginModule which is fine, but I'm finding hard to believe there is no out-of-the-box option for this (so far I haven't found any)

Has someone done something like this?

Answer 1

Ok, this is how I accomplished this (I'm working on JBOSS 4.2.1 GA and Oracle so some stuff may differ between versions and DB vendors):

You need to extend AbstractPasswordCredentialLoginModule.

I based mine (Called PGPLoginModule) on the out of the box implementation called SecureIdentityLoginModule the only difference between that and mine is the decode and encode methods which use a different encryption algorithm and process (mine is using a PGP certificate to decrypt a properties file where the password is stored) similar to what is explained in this article, but you can use whatever method you prefer.

You'll require to add the following jars located on jboss library folders in order to resolve dependencies:

• [JBOSS_HOME]/lib/jboss-common.jar
• [JBOSS_HOME]/lib/jboss-jmx.jar
• [JBOSS_HOME]/server/default/lib/jbosssx.jar
• [JBOSS_HOME]/server/default/lib/jboss-jca.jar

You need to JAR your class and place the jar on either:

• [JBOSS_HOME]/server/default/lib

or

• [JBOSS_HOME]/lib

When you have that you need to configure it on the Security Domain you defined on jboss's login-config.xml so that it uses your class (mine is org.company.resource.security.PGPLoginModule) instead of using the default one so it will look something like:

<application-policy name="PGPDomain">
        <authentication>
            <login-module code="org.company.resource.security.PGPLoginModule" flag="required">
                <module-option name="username">[DB_USER]</module-option>
                <module-option name="password">[ENCTRYPTED_PASSWORD]</module-option>
                <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
            </login-module>
        </authentication>
    </application-policy>

Please notice that depending on the strength and algorithm you decide to use you may need to install the Java Cryptography Extension Unlimited Strength Policy Files to your JRE.

I hope someone finds it useful.

Answer 2

Take a look at the following wiki document. It describes two way of encrypting JBoss Passwords. The first one is what you have described and the second one is Password Based Encryption.

Answer 3

There is an outstanding bug ticket for this issue, at least for JBoss 4.0.x: https://issues.jboss.org/browse/JBAS-4460

Note the comment:

The "encrypt the database" password thing is there for passing silly security audits. Ultimately there will be a password of some kind somewhere because the system needs to decrypt the password to send it to the database. It will always be easy for a relatively experienced programmer to hack this. Filesystem/OS security + transport security are your only hope here.

What the commenter is saying is a common issue for all security systems: at some point there is a key which can be decrypted. Make sure your server's filesystem security is nailed down so that this key is not easily accessed, and you should be fine.