Using Encrypted DataSource Password in JBoss AS7

于 2013-12-04 22:44:16 发布
阅读量2.8k 收藏
点赞数
分类专栏: jboss
本文介绍如何在JBoss AS7中为数据源配置加密密码,使用picketbox安全实现保护应用服务器资源。通过示例展示了创建带有加密密码的数据源步骤,并提供了测试数据源连接的方法。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

Securing our Application Server resources is one of the most important administrative task. JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class “org.picketbox.datasource.security.SecureIdentityLoginModule”

BUT in earlier versions on JBoss the Class was available as part of a different package “org.jboss.resource.security.SecureIdentityLoginModule” … So while using JBoss AS7 we must always make sure that we are using the right SecureIdentityLoginModule class as “org.picketbox.datasource.security.SecureIdentityLoginModule”

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link:
http://www.jboss.org/jbossas/downloads

Step1). Create a DataSource as following:

01 <subsystem xmlns="urn:jboss:domain:datasources:1.0">
02     <datasources>
03         <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="H2DS" enabled="true">
04             <connection-url>
05                 jdbc:h2:mem:test;DB_CLOSE_DELAY=-1
06             </connection-url>
07             <driver>
08                 h2
09             </driver>
10             <security>
11                 <user-name>sa</user-name>
12                 <password>sa</password>
13             </security>
14         </datasource>
15
16         <!-- ************************************************* -->
17         <!-- We Added the below DataSource configuration Here -->
18         <datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS_Pool" enabled="true" jta="false" use-ccm="false">
19             <connection-url>
20                 jdbc:mysql://localhost:3306/testDB
21             </connection-url>
22             <driver-class>
23                 com.mysql.jdbc.Driver
24             </driver-class>
25             <driver>
26                 mysql-connector-java-5.1.13-bin.jar
27             </driver>
28             <security>
29                 <security-domain>
30                     encrypted-ds
31                 </security-domain>
32             </security>
33         </datasource>
34         <!-- ************************************************* -->
35
36         <drivers>
37             <driver name="h2" module="com.h2database.h2">
38                 <xa-datasource-class>
39                     org.h2.jdbcx.JdbcDataSource
40                 </xa-datasource-class>
41             </driver>
42         </drivers>
43     </datasources>
44 </subsystem>

NOTE:
In above case as we are using “mysql-connector-java-5.1.13-bin.jar” JDBC Driver which is a JDBC 4 compliant Driver so we just placed this Jar file inside the “jboss-as-7.1.0.Beta1/standalone/deployments” directory before creating the DataSource.

NOTE:
In the above DataSource configuration you will notice that inside the security tags we have NOT provided the Username and password rather we are providing the security-domain name (encrypted-ds) which we are going to configure in our next steps.

NOTE:
For more information on installing JDBC Driver and creating DataSources you can refer to the following article: http://middlewaremagic.com/jboss/?p=872

NOTE:
The simplest thing what you can do is just create a DataSource through JBoss Console as mentioned in the above link and then edit the following section of your DataSource to use security-domain rather than user-name and password attributes.

1 <security>
2      <user-name>dbUserOne</user-name>
3      <password>PasswordXYZ</password>
4 </security>

Step2). Open a Shell Prompt and then set the CLASSPATH to point to the following JAR’s “picketbox-4.0.6.Beta1.jar” and “jboss-logging-3.1.0.CR2.jar” because these Jars are required to encrypt the clear text password.

1 [userone@localhost ~]$      export JBOSS_HOME=/home/userone/jboss-as-7.1.0.Beta1
2 .
3 [userone@localhost ~]$      export CLASSPATH=${JBOSS_HOME}/modules/org/picketbox/main/picketbox-4.0.6.Beta1.jar:${JBOSS_HOME}/modules/org/jboss/logging/main/jboss-logging-3.1.0.CR2.jar:$CLASSPATH
4
5 [userone@localhost ~]$      java  org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
6 Encoded password: -5bbc51443039e029747687c1d9ec6a8d
7 .

NOTE: In above demo suppose our Database Poassword is “PasswordXYZ” so after running the above command we got the encrypted password as “-5bbc51443039e029747687c1d9ec6a8d”

Step3). Now We need to create a “security-domain” inside out “${JBOSS_HOME}/standalone/configuration/standalone-full.xml” file as following, By providing the above Encrypted Password:

1 <security-domain name="encrypted-ds" cache-type="default">
2     <authentication>
3         <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
4             <module-option name="username" value="dbUserOne"/>
5             <module-option name="password" value="-5bbc51443039e029747687c1d9ec6a8d"/>
6             <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
7         </login-module>
8     </authentication>
9 </security-domain>

Step4). That’s all now just restart your JBoss profile like following:

1 .
2 ./standalone.sh -c standalone-full.xml
3 .

Testing JBossAS7 DataSource connections using CLI

Step5). Following are the JBoss CLI command which you can use to test your DataSource is working fine or not.
In Standalone mode:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

In Domain mode:

1 [domain@localhost:9999 /] /host=master/server=server-one/subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "success",
4     "result" => [true]
5 }

What if you enter a Wrong Encrypted password in your JBoss Configuration?

Then you will see following kind of exception in your .JBoss Console:

01 03:19:12,578 INFO  [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011907: Register module: Module "deployment.mysql-connector-java-5.1.13-bin.jar:main" from Service Module Loader
02 03:19:12,641 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
03     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
04     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1047) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
05     at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1042) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
06     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
07     at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1041) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:581) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
09     at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
10     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:283) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:116) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
13     at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
14     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
15     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
16     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]

AND

01 ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 3) IJ000614: Exception during createSubject() PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
02     at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
03     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:121) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
04     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:116) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
05     at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
06     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:115) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
07     at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:85) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
08     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:121) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
09     at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:60) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
10     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
11     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
12     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
13     at org.jboss.as.connector.subsystems.common.pool.PoolOperations.execute(PoolOperations.java:74) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
14     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
15     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
16     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
17     at org.jboss.as.controller.ModelControllerImpl$DefaultPrepareStepHandler.execute(ModelControllerImpl.java:473) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
18     at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
19     at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
20     at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
21     at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:126) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
22     at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:111) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
23     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:139) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
24     at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:108) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
25     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:295)
26     at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:512)
27     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
28     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
29     at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]
30     at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]

And your CLI comman to test DataSource connections will fail like following:

1 [standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
2 {
3     "outcome" => "failed",
4     "failure-description" => "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid",
5     "rolled-back" => true
6 }

.
.
Thanks
MiddlewareMagic Team

- See more at: http://middlewaremagic.com/jboss/?p=1026#sthash.NFZOkRsw.dpuf


原文地址:http://middlewaremagic.com/jboss/?p=1026

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值