Using Encrypted DataSource Password in JBoss AS7

转载 2013年12月04日 22:44:16

Securing our Application Server resources is one of the most important administrative task. JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class “org.picketbox.datasource.security.SecureIdentityLoginModule”

BUT in earlier versions on JBoss the Class was available as part of a different package “org.jboss.resource.security.SecureIdentityLoginModule” … So while using JBoss AS7 we must always make sure that we are using the right SecureIdentityLoginModule class as “org.picketbox.datasource.security.SecureIdentityLoginModule”

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link:
http://www.jboss.org/jbossas/downloads

Step1). Create a DataSource as following:

01 <subsystem xmlns="urn:jboss:domain:datasources:1.0">
02     <datasources>
03         <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="H2DS" enabled="true">
04             <connection-url>
05                 jdbc:h2:mem:test;DB_CLOSE_DELAY=-1
06             </connection-url>
07             <driver>
08                 h2
09             </driver>
10             <security>
11                 <user-name>sa</user-name>
12                 <password>sa</password>
13             </security>
14         </datasource>
15
16         <!-- ************************************************* -->
17         <!-- We Added the below DataSource configuration Here -->
18         <datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS_Pool" enabled="true" jta="false" use-ccm="false">
19             <connection-url>
20                 jdbc:mysql://localhost:3306/testDB
21             </connection-url>
22             <driver-class>
23                 com.mysql.jdbc.Driver
24             </driver-class>
25             <driver>
26                 mysql-connector-java-5.1.13-bin.jar
27             </driver>
28             <security>
29                 <security-domain>
30                     encrypted-ds
31                 </security-domain>
32             </security>
33         </datasource>
34         <!-- ************************************************* -->
35
36         <drivers>
37             <driver name="h2" module="com.h2database.h2">
38                 <xa-datasource-class>
39                     org.h2.jdbcx.JdbcDataSource
40                 </xa-datasource-class>
41             </driver>
42         </drivers>
43     </datasources>
44 </subsystem>

NOTE:
In above case as we are using “mysql-connector-java-5.1.13-bin.jar” JDBC Driver which is a JDBC 4 compliant Driver so we just placed this Jar file inside the “jboss-as-7.1.0.Beta1/standalone/deployments” directory before creating the DataSource.

NOTE:
In the above DataSource configuration you will notice that inside the security tags we have NOT provided the Username and password rather we are providing the security-domain name (encrypted-ds) which we are going to configure in our next steps.

NOTE:
For more information on installing JDBC Driver and creating DataSources you can refer to the following article: http://middlewaremagic.com/jboss/?p=872

NOTE:
The simplest thing what you can do is just create a DataSource through JBoss Console as mentioned in the above link and then edit the following section of your DataSource to use security-domain rather than user-name and password attributes.

1 <security>
2      <user-name>dbUserOne</user-name>
3      <password>PasswordXYZ</password>
4 </security>

Step2). Open a Shell Prompt and then set the CLASSPATH to point to the following JAR’s “picketbox-4.0.6.Beta1.jar” and “jboss-logging-3.1.0.CR2.jar” because these Jars are required to encrypt the clear text password.

1 [userone@localhost ~]$      export JBOSS_HOME=/home/userone/jboss-as-7.1.0.Beta1
2 .
3 [userone@localhost ~]$      export CLASSPATH=${JBOSS_HOME}/modules/org/picketbox/main/picketbox-4.0.6.Beta1.jar:${JBOSS_HOME}/modules/org/jboss/logging/main/jboss-logging-3.1.0.CR2.jar:$CLASSPATH
4
5 [userone@localhost ~]$      java  org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
6 Encoded password: -5bbc51443039e029747687c1d9ec6a8d
7 .

NOTE: In above demo suppose our Database Poassword is “PasswordXYZ” so after running the above command we got the encrypted password as “-5bbc51443039e029747687c1d9ec6a8d”

Step3). Now We need to create a “security-domain” inside out “${JBOSS_HOME}/standalone/configuration/standalone-full.xml” file as following, By providing the above Encrypted Password:

1 <security-domain name="encrypted-ds" cache-type="default">
2     <authentication>
3         <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
4             <module-option name="username" value="dbUserOne"/>
5             <module-option name="password" value="-5bbc51443039e029747687c1d9ec6a8d"/>
6             <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
7         </login-module>
8     </authentication>
9 </security-domain>

Step4). That’s all now just restart your JBoss profile like following:

1 .
2 ./standalone.sh -c standalone-full.xml
3 .

Testing JBossAS7 DataSource connections using CLI

Step5). Following are the JBoss CLI command which you can use to test your DataSource is working fine or not.
In Standalone mode:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

In Domain mode:

1 [domain@localhost:9999 /] /host=master/server=server-one/subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

What if you enter a Wrong Encrypted password in your JBoss Configuration?

Then you will see following kind of exception in your .JBoss Console:

01 03:19:12,578 INFO  [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011907: Register module: Module "deployment.mysql-connector-java-5.1.13-bin.jar:main" from Service Module Loader
02 03:19:12,641 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
03     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
04     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1047) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
05     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1042) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
06     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
07     at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1041) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:581) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
09     at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
10     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:283) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:116) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
13     at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
14     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
15     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
16     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]

AND

01 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 3) IJ000614: Exception during createSubject() PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
02     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
03     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:121) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
04     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:116) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
05     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
06     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:115) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
07     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:85) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:121) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
09     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:60) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
10     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
13     at org.jboss.as.connector.subsystems.common.pool.PoolOperations.execute(PoolOperations.java:74) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
14     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
15     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
16     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
17     at org.jboss.as.controller.ModelControllerImpl$DefaultPrepareStepHandler.execute(ModelControllerImpl.java:473) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
18     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
19     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
20     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
21     at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:126) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
22     at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:111) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
23     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:139) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
24     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:108) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
25     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:295)
26     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:512)
27     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
28     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
29     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]
30     at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]

And your CLI comman to test DataSource connections will fail like following:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "failed",
4     "failure-description" => "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid",
5     "rolled-back" => true
6 }

.
.
Thanks
MiddlewareMagic Team

- See more at: http://middlewaremagic.com/jboss/?p=1026#sthash.NFZOkRsw.dpuf


原文地址:http://middlewaremagic.com/jboss/?p=1026

微信小程序侧边栏+语音记账本(主页面)

微信小程序侧边栏+语音记账本
  • weixin_36065510
  • weixin_36065510
  • 2017年05月22日 23:34
  • 2215

【Python】多线程getwebshell+存活检测+菜刀发包协议+源码分析

在此之前不得不先普及一下webshell存活检测的原理 为了我错了不少功课,对两款菜刀以及市面上3款webshell存活检测工具抓包分析 发现其中一款菜刀存在后门,3款webshell存活检测工具...
  • lzy98
  • lzy98
  • 2017年02月07日 16:15
  • 958

配置超级用户口令(Cisco IOS系统)

命令一共有以下几条: (1)enable secret enable secret 0 密码明文 enable secret 5 密码密文(MD5加密) (2)enable passw...
  • w6611415
  • w6611415
  • 2012年03月15日 11:54
  • 4916

JBoss AS 7性能调优 (一)

原文:http://www.mastertheboss.com/jboss-performance/jboss-as-7-performance-tuning   调优JBoss应用服务器 虽然...
  • wilbertzhou
  • wilbertzhou
  • 2014年05月01日 14:54
  • 1654

Git的服务器配置

Git的服务器配置 在学会了使用 Git 来完成日常工作,若需要项目间协调工作,则还需要一个远程的 Git 仓库。尽管技术上可以从个人的仓库里推送和拉取修改内容,但我们不鼓励这样做,因为一不留心就很...
  • yu5611789
  • yu5611789
  • 2013年04月17日 15:54
  • 1030

stm32启动过程(汇编代码)及汇编到main函数的转换过程的实现

0x08000000 0210      LSLS     r0,r2,#8 0x08000002 2000      MOVS     r0,#0x00 0x08000004 1905     ...
  • ouyangjun5891
  • ouyangjun5891
  • 2012年04月01日 23:14
  • 5531

JBoss 中配置数据源(datasource),及EntityManager的使用

前提: EAP版本: EAP6.1 模式:standalone模式 数据库: Postgresql 9.3 数据源模式:NON-XA DataSource   正文: ① 将postgresql的jd...
  • rainbow702
  • rainbow702
  • 2016年01月14日 17:00
  • 2766

JBoss AS7 快速配置

文档下载:http://www.minunix.com/docs/document/JBoss_AS7.pdf 本文介绍了JBoss AS7 的新特性、部署和管理的基础知识,通过本文的学习,开发...
  • u013510614
  • u013510614
  • 2016年01月04日 10:24
  • 539

服务器上的git

转自:http://www.open-open.com/lib/view/open1328069988843.html 到目前为止,你应该已经学会了使用 Git 来完成日常工作。然而,如果想与他...
  • WitsMakeMen
  • WitsMakeMen
  • 2014年02月15日 15:33
  • 1091

linux内核调试指南

linux内核调试指南 发表于11个月前(2013-03-11 15:16)   阅读(795) | 评论(0) 17人收藏此文章, 我要收藏 赞0 调试 http:/...
  • cjok376240497
  • cjok376240497
  • 2014年02月25日 22:52
  • 3554
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:Using Encrypted DataSource Password in JBoss AS7
举报原因:
原因补充:

(最多只允许输入30个字)