Re: [jetty-dev] Password obfuscation in 8.1.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] Password obfuscation in 8.1.2

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 23 Oct 2013 07:04:17 -0700
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

The obfuscated password strings that org.eclipse.jetty.util.security.Password produces are recognized by various jetty components and converted when they see them.

However, <New class="com.mchange.v2.c3p0.ComboPooledDataSource">, is not a Jetty component.

The Jetty IoC XML format has no magic behavior with regards to Password handling.

Think of the <New> and <Set> calls as code.

If you would like to see the Jetty IoC XML format convert obfuscated passwords before calling the components, then file a feature request asking for this magic behavior.

https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Jetty&format=guided

Joakim Erdfelt <joakim@xxxxxxxxxxx>

webtide.com - intalio.com/jetty

Expert advice, services and support from from the Jetty & CometD experts

eclipse.org/jetty - cometd.org

On Tue, Oct 22, 2013 at 6:00 PM, Mike Harrelson <mharrelson@xxxxxxxxxxxxxx> wrote:

Hi all,

I’ve read the secure password obfuscation document from: http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html

And I’m trying to use the OBF version of my password in a jetty-env.xml data source configuration but it’s not converting back to the original password. I’ve looked at what’s being passed into the data source’s setPassword and it’s the full OBF sting. Everything works fine if I use the raw password.

Any insight would be appreciated.

Thanks

Mike

Here’s my jetty-env.xml ( removing the specifics of my machine/domain):

<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">

<Configure class="org.eclipse.jetty.webapp.WebAppContext">

<New id="limsDS" class="org.eclipse.jetty.plus.jndi.Resource">

    <Arg></Arg>

    <Arg>jdbc/limsDS</Arg>

  <Arg>

      <New class="com.mchange.v2.c3p0.ComboPooledDataSource">

        <Set name="driverClass">oracle.jdbc.OracleDriver</Set>

        <Set name="jdbcUrl">jdbc:oracle:thin:@xxx.xxx.com:1521:lims1</Set>

        <Set name="User">limsweb_dev</Set>

        <Set name="Password">OBF:1lmb1k8k1kmy1lts20001t331sal1sap1t331zzy1lq61kjo1k5m1ljf</Set>

        <Set name="initialPoolSize">1</Set>

        <Set name="minPoolSize">1</Set>

        <Set name="maxPoolSize">32</Set>

      </New>



    </Arg>

</New>

</Configure>

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev

Follow-Ups:
- Re: [jetty-dev] Password obfuscation in 8.1.2
  - From: Vladimir Tsanev

References:
- [jetty-dev] Password obfuscation in 8.1.2
  - From: Mike Harrelson

Prev by Date: [jetty-dev] Password obfuscation in 8.1.2
Next by Date: Re: [jetty-dev] Password obfuscation in 8.1.2
Previous by thread: [jetty-dev] Password obfuscation in 8.1.2
Next by thread: Re: [jetty-dev] Password obfuscation in 8.1.2
Index(es):
- Date
- Thread

Breadcrumbs