Re: [jetty-dev] Password obfuscation in 8.1.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] Password obfuscation in 8.1.2

From: Jan Bartel <janb@xxxxxxxxxxx>
Date: Fri, 25 Oct 2013 10:28:10 +1100
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Yes - in fact I liked it so much I've put it into the jetty
documentation on password obfuscation!

Jan

On 24 October 2013 02:58, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
> Vladimir,
>
> Very creative! :-)
>
> --
> Joakim Erdfelt <joakim@xxxxxxxxxxx>
> webtide.com - intalio.com/jetty
> Expert advice, services and support from from the Jetty & CometD experts
> eclipse.org/jetty - cometd.org
>
>
> On Wed, Oct 23, 2013 at 7:49 AM, Vladimir Tsanev <tsachev@xxxxxxxxx> wrote:
>>
>> Or try workarounding it with
>>
>> <Set name="Password">
>>   <Arg>
>>     <Call class="org.eclipse.jetty.util.security.Password"
>> name="deobfuscate">
>>
>> <Arg>OBF:1lmb1k8k1kmy1lts20001t331sal1sap1t331zzy1lq61kjo1k5m1ljf</Arg>
>>     </Call>
>>   </Arg>
>> </Set>
>>
>> On Wed, Oct 23, 2013 at 5:04 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx>
>> wrote:
>> > The obfuscated password strings that
>> > org.eclipse.jetty.util.security.Password produces are recognized by
>> > various
>> > jetty components and converted when they see them.
>> >
>> > However, <New class="com.mchange.v2.c3p0.ComboPooledDataSource">, is not
>> > a
>> > Jetty component.
>> > The Jetty IoC XML format has no magic behavior with regards to Password
>> > handling.
>> > Think of the <New> and <Set> calls as code.
>> >
>> > If you would like to see the Jetty IoC XML format convert obfuscated
>> > passwords before calling the components, then file a feature request
>> > asking
>> > for this magic behavior.
>> > https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Jetty&format=guided
>> >
>> >
>> > --
>> > Joakim Erdfelt <joakim@xxxxxxxxxxx>
>> > webtide.com - intalio.com/jetty
>> > Expert advice, services and support from from the Jetty & CometD experts
>> > eclipse.org/jetty - cometd.org
>> >
>> >
>> > On Tue, Oct 22, 2013 at 6:00 PM, Mike Harrelson
>> > <mharrelson@xxxxxxxxxxxxxx>
>> > wrote:
>> >>
>> >> Hi all,
>> >>
>> >>
>> >>
>> >> I’ve read the secure password obfuscation document from:
>> >>
>> >> http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
>> >>
>> >>
>> >>
>> >> And I’m trying to use the OBF version of my password in a jetty-env.xml
>> >> data source configuration but it’s not converting back to the original
>> >> password.  I’ve looked at what’s being passed into the data source’s
>> >> setPassword and it’s the full OBF sting.  Everything works fine if I
>> >> use the
>> >> raw password.
>> >>
>> >>
>> >>
>> >> Any insight would be appreciated.
>> >>
>> >> Thanks
>> >>
>> >> Mike
>> >>
>> >>
>> >>
>> >> Here’s my jetty-env.xml ( removing the specifics of my machine/domain):
>> >>
>> >>
>> >>
>> >> <?xml version="1.0"?>
>> >>
>> >> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> >> "http://www.eclipse.org/jetty/configure.dtd";>
>> >>
>> >>
>> >>
>> >> <Configure class="org.eclipse.jetty.webapp.WebAppContext">
>> >>
>> >>   <New id="limsDS" class="org.eclipse.jetty.plus.jndi.Resource">
>> >>
>> >>     <Arg></Arg>
>> >>
>> >>     <Arg>jdbc/limsDS</Arg>
>> >>
>> >>     <Arg>
>> >>
>> >>       <New class="com.mchange.v2.c3p0.ComboPooledDataSource">
>> >>
>> >>         <Set name="driverClass">oracle.jdbc.OracleDriver</Set>
>> >>
>> >>         <Set
>> >> name="jdbcUrl">jdbc:oracle:thin:@xxx.xxx.com:1521:lims1</Set>
>> >>
>> >>         <Set name="User">limsweb_dev</Set>
>> >>
>> >>         <Set
>> >>
>> >> name="Password">OBF:1lmb1k8k1kmy1lts20001t331sal1sap1t331zzy1lq61kjo1k5m1ljf</Set>
>> >>
>> >>         <Set name="initialPoolSize">1</Set>
>> >>
>> >>         <Set name="minPoolSize">1</Set>
>> >>
>> >>         <Set name="maxPoolSize">32</Set>
>> >>
>> >>       </New>
>> >>
>> >>
>> >>
>> >>     </Arg>
>> >>
>> >>   </New>
>> >>
>> >> </Configure>
>> >>
>> >>
>> >> _______________________________________________
>> >> jetty-dev mailing list
>> >> jetty-dev@xxxxxxxxxxx
>> >> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>> >>
>> >
>> >
>> > _______________________________________________
>> > jetty-dev mailing list
>> > jetty-dev@xxxxxxxxxxx
>> > https://dev.eclipse.org/mailman/listinfo/jetty-dev
>> >
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>
>
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>



-- 
Jan Bartel <janb@xxxxxxxxxxx>
www.webtide.com
'Expert Jetty/CometD developer,production,operations advice'

References:
- [jetty-dev] Password obfuscation in 8.1.2
  - From: Mike Harrelson
- Re: [jetty-dev] Password obfuscation in 8.1.2
  - From: Joakim Erdfelt
- Re: [jetty-dev] Password obfuscation in 8.1.2
  - From: Vladimir Tsanev
- Re: [jetty-dev] Password obfuscation in 8.1.2
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-dev] Remove jetty-runner in Jetty 9.1?
Next by Date: [jetty-dev] Performance issue, bug, or as intended?
Previous by thread: Re: [jetty-dev] Password obfuscation in 8.1.2
Next by thread: [jetty-dev] Remove jetty-runner in Jetty 9.1?
Index(es):
- Date
- Thread

Breadcrumbs