Using Encrypted DataSource Password in JBoss AS7

转载 2013年12月04日 22:44:16

Securing our Application Server resources is one of the most important administrative task. JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class “org.picketbox.datasource.security.SecureIdentityLoginModule”

BUT in earlier versions on JBoss the Class was available as part of a different package “org.jboss.resource.security.SecureIdentityLoginModule” … So while using JBoss AS7 we must always make sure that we are using the right SecureIdentityLoginModule class as “org.picketbox.datasource.security.SecureIdentityLoginModule”

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link:
http://www.jboss.org/jbossas/downloads

Step1). Create a DataSource as following:

01 <subsystem xmlns="urn:jboss:domain:datasources:1.0">
02     <datasources>
03         <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="H2DS" enabled="true">
04             <connection-url>
05                 jdbc:h2:mem:test;DB_CLOSE_DELAY=-1
06             </connection-url>
07             <driver>
08                 h2
09             </driver>
10             <security>
11                 <user-name>sa</user-name>
12                 <password>sa</password>
13             </security>
14         </datasource>
15
16         <!-- ************************************************* -->
17         <!-- We Added the below DataSource configuration Here -->
18         <datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS_Pool" enabled="true" jta="false" use-ccm="false">
19             <connection-url>
20                 jdbc:mysql://localhost:3306/testDB
21             </connection-url>
22             <driver-class>
23                 com.mysql.jdbc.Driver
24             </driver-class>
25             <driver>
26                 mysql-connector-java-5.1.13-bin.jar
27             </driver>
28             <security>
29                 <security-domain>
30                     encrypted-ds
31                 </security-domain>
32             </security>
33         </datasource>
34         <!-- ************************************************* -->
35
36         <drivers>
37             <driver name="h2" module="com.h2database.h2">
38                 <xa-datasource-class>
39                     org.h2.jdbcx.JdbcDataSource
40                 </xa-datasource-class>
41             </driver>
42         </drivers>
43     </datasources>
44 </subsystem>

NOTE:
In above case as we are using “mysql-connector-java-5.1.13-bin.jar” JDBC Driver which is a JDBC 4 compliant Driver so we just placed this Jar file inside the “jboss-as-7.1.0.Beta1/standalone/deployments” directory before creating the DataSource.

NOTE:
In the above DataSource configuration you will notice that inside the security tags we have NOT provided the Username and password rather we are providing the security-domain name (encrypted-ds) which we are going to configure in our next steps.

NOTE:
For more information on installing JDBC Driver and creating DataSources you can refer to the following article: http://middlewaremagic.com/jboss/?p=872

NOTE:
The simplest thing what you can do is just create a DataSource through JBoss Console as mentioned in the above link and then edit the following section of your DataSource to use security-domain rather than user-name and password attributes.

1 <security>
2      <user-name>dbUserOne</user-name>
3      <password>PasswordXYZ</password>
4 </security>

Step2). Open a Shell Prompt and then set the CLASSPATH to point to the following JAR’s “picketbox-4.0.6.Beta1.jar” and “jboss-logging-3.1.0.CR2.jar” because these Jars are required to encrypt the clear text password.

1 [userone@localhost ~]$      export JBOSS_HOME=/home/userone/jboss-as-7.1.0.Beta1
2 .
3 [userone@localhost ~]$      export CLASSPATH=${JBOSS_HOME}/modules/org/picketbox/main/picketbox-4.0.6.Beta1.jar:${JBOSS_HOME}/modules/org/jboss/logging/main/jboss-logging-3.1.0.CR2.jar:$CLASSPATH
4
5 [userone@localhost ~]$      java  org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
6 Encoded password: -5bbc51443039e029747687c1d9ec6a8d
7 .

NOTE: In above demo suppose our Database Poassword is “PasswordXYZ” so after running the above command we got the encrypted password as “-5bbc51443039e029747687c1d9ec6a8d”

Step3). Now We need to create a “security-domain” inside out “${JBOSS_HOME}/standalone/configuration/standalone-full.xml” file as following, By providing the above Encrypted Password:

1 <security-domain name="encrypted-ds" cache-type="default">
2     <authentication>
3         <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
4             <module-option name="username" value="dbUserOne"/>
5             <module-option name="password" value="-5bbc51443039e029747687c1d9ec6a8d"/>
6             <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
7         </login-module>
8     </authentication>
9 </security-domain>

Step4). That’s all now just restart your JBoss profile like following:

1 .
2 ./standalone.sh -c standalone-full.xml
3 .

Testing JBossAS7 DataSource connections using CLI

Step5). Following are the JBoss CLI command which you can use to test your DataSource is working fine or not.
In Standalone mode:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

In Domain mode:

1 [domain@localhost:9999 /] /host=master/server=server-one/subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

What if you enter a Wrong Encrypted password in your JBoss Configuration?

Then you will see following kind of exception in your .JBoss Console:

01 03:19:12,578 INFO  [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011907: Register module: Module "deployment.mysql-connector-java-5.1.13-bin.jar:main" from Service Module Loader
02 03:19:12,641 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
03     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
04     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1047) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
05     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1042) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
06     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
07     at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1041) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:581) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
09     at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
10     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:283) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:116) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
13     at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
14     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
15     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
16     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]

AND

01 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 3) IJ000614: Exception during createSubject() PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
02     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
03     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:121) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
04     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:116) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
05     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
06     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:115) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
07     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:85) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:121) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
09     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:60) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
10     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
13     at org.jboss.as.connector.subsystems.common.pool.PoolOperations.execute(PoolOperations.java:74) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
14     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
15     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
16     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
17     at org.jboss.as.controller.ModelControllerImpl$DefaultPrepareStepHandler.execute(ModelControllerImpl.java:473) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
18     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
19     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
20     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
21     at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:126) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
22     at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:111) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
23     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:139) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
24     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:108) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
25     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:295)
26     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:512)
27     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
28     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
29     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]
30     at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]

And your CLI comman to test DataSource connections will fail like following:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "failed",
4     "failure-description" => "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid",
5     "rolled-back" => true
6 }

.
.
Thanks
MiddlewareMagic Team

- See more at: http://middlewaremagic.com/jboss/?p=1026#sthash.NFZOkRsw.dpuf


原文地址:http://middlewaremagic.com/jboss/?p=1026

jboss7 数据源密码加密

参考:http://stackoverflow.com/questions/10520997/jboss-as-7-1-datasource-how-to-encrypt-password/10542...

Warning: mysql_connect(): Access denied for user''@'localhost' (using password: NO) in C:\ApaServ\p

Warning: mysql_connect(): Access denied for user''@'localhost' (using password: NO) in C:\ApaServ\ph...
  • jaray
  • jaray
  • 2012年09月27日 12:11
  • 5346

jboss7 datasource 当数据库重启自动重新获取连接

背景: jboss7 datasource, oracle  最近客户现场的测试环境连的数据库极不稳定,经常会出现需要重新启动数据库的情况, 但是一旦重启数据库 则会出现 提示  执行...
  • Ouvidia
  • Ouvidia
  • 2015年01月22日 18:44
  • 3048

为JBoss7配置MSSQL的DataSource

前言 现在的网站,基本上都离不开数据库,而微软的SQL Server就是其中应用较广的数据库。如果要在JBoss7中使用MSSQL,就要配置DataSource,即数据源。至于如何配置,可以参考...

jboss7 datasource 当数据库重启自动重新获取连接

[html] view plaincopy span style="font-family: Arial, Helvetica, sans-serif; backgrou...

解决“OperationalError: (1862, 'Your password has expired. To log in you must change it using ...”

1. 问题描述 在64位的ubuntu14.10下进行Django框架开发, 在测试mysql是否可以连通时出现以下信息: xx@ubuntu:~/workspace/day02$ python m...

Insert, Update, Delete in ASP.NET Gridview, DataSource as SQL Server, MS Access (mdb/accdb), XML and

This demo is a continuation of my previous example “Binding GridView with Data”. If you are not fami...

jboss 7 ejb jpa jms datasource配置

最近闲的蛋疼啊,有木有。闲也不能真闲着。不然咱就废了。那就学习吧。 jboss都出到7了。虽然生产环境暂时不会有太多人用,但是学习下总是好的。就是7的改变有点蛋疼。真不习惯。行了。直接上代码了。 ...

mysql安装在centos7报错ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

【问题】: 首次在centos下安装mysql,客户端连接mysql时报错: [root@localhost opt]# /usr/bin/mysql -u root ERROR 1045 (280...
  • kuluzs
  • kuluzs
  • 2016年07月16日 13:44
  • 5188

How To Generate An XML File As A Target Datastore Using ODI In An Integration Interface ? [ID 454268

How To Generate An XML File As A Target Datastore Using ODI In An Integration Interface ? [ID 454268...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Using Encrypted DataSource Password in JBoss AS7
举报原因:
原因补充:

(最多只允许输入30个字)