Scott:
Thank you for your reply.
Sorry I don't understand why you need another password.The user-name/password in mysql-ds.xml is the only user for jboss to communicate with mysql. At this moment, let's assume we need another password. Certainly, I can't get another user-name/pasword to encode the above from mysql-ds.xml. Can we try to get something from other database such as hsqldb-ds.xml(which I assume is embedded in JBOSS) or some flat files? Do we need to encode this
password too?
Since I don't know your potential solution, my point is that the password in mysql-ds.xml should be encoded(using SHA for hashAlgorithm, base64 for hashEncoding) and JBOSS should be
able to decode it when it gets it and use this decoded password to
connect to MySql database. I check the code
UsersRolesLoginModule.java, there is no problem to encode a
password, but I don't know how JBOSS can decode this encoded password. My understanding is that for normal JAAS, the encoded password is stored, and when the input user-name and
password come, JBOSS will encode the input password and compare it with stored password. But in my scenario, we don't have the input password.
Anyway, could you/JBOSS provide a secure way (or a sample)
to communicate with database? Right now the plain user-name and password are less secure. I think this will benefit the jboss application
and expend far-reach of jboss.
Again thanks,
Mark
--- Scott M Stark <[EMAIL PROTECTED]> wrote:
> How do you want the password used to encrypt this
> password to be
> stored/used?
>
>
> xxxxxxxxxxxxxxxxxxxxxxxx
> Scott Stark
> Chief Technology Officer
> JBoss Group, LLC
> xxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Mark Wang
> Sent: Tuesday, January 27, 2004 4:39 PM
> To: [EMAIL PROTECTED]
> Subject: [JBoss-user] how to encode database
> password in descriptor file
> mysql-ds.xml
>
>
>
> Dear JBOSS Experts:
>
> I am using JBOSS 3.2.3 and MySql 4.0.16. Under the
> directory:
>
> $JBOSS_HOME/server/default/deploy, there is a file
> "mysql-ds.xml":
>
> The file has something like the following:
>
> ......................................................
>
>
> <datasources>
> <local-tx-datasource>
> <jndi-name>MySqlDS</jndi-name>
> <connection-url>jdbc:mysql://localhost:3306/authority</connection-url>
> <driver-class>org.gjt.mm.mysql.Driver</driver-class>
> <user-name>test</user-name>
> <password>test123</password>
> </local-tx-datasource>
>
> </datasources>
>
> ..................................................................
>
>
> Since the database user-name("test") and
> password("test123") are plain
> texts, these are big security flaws. Anybody who can
> read this
>
> file can use this user-name and password to do
> anything with the
> database.
>
> How can we encode the password so that even people
> can read this file,
> but can't get the original password?
>
> Could somebody provide a sample configuration file
> "mysql-ds.xml" and
> related files?
>
> Thanks a million,
>
> Mark
>
>
>
> -------------------------------------------------------
> How do you want the password used to encrypt this
> password to be
> stored/used?
>
>
> xxxxxxxxxxxxxxxxxxxxxxxx
> Scott Stark
> Chief Technology Officer
> JBoss Group, LLC
> xxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Mark Wang
> Sent: Tuesday, January 27, 2004 4:39 PM
> To: [EMAIL PROTECTED]
> Subject: [JBoss-user] how to encode database
> password in descriptor file
> mysql-ds.xml
>
>
>
> Dear JBOSS Experts:
>
> I am using JBOSS 3.2.3 and MySql 4.0.16. Under the
> directory:
>
> $JBOSS_HOME/server/default/deploy, there is a file
> "mysql-ds.xml":
>
> The file has something like the following:
>
> ......................................................
>
>
> <datasources>
> <local-tx-datasource>
> <jndi-name>MySqlDS</jndi-name>
> <connection-url>jdbc:mysql://localhost:3306/authority</connection-url>
> <driver-class>org.gjt.mm.mysql.Driver</driver-class>
> <user-name>test</user-name>
> <password>test123</password>
> </local-tx-datasource>
>
> </datasources>
>
> ..................................................................
>
>
> Since the database user-name("test") and
> password("test123") are plain
> texts, these are big security flaws. Anybody who can
> read this
>
> file can use this user-name and password to do
> anything with the
> database.
>
> How can we encode the password so that even people
> can read this file,
> but can't get the original password?
>
> Could somebody provide a sample configuration file
> "mysql-ds.xml" and
> related files?
>
> Thanks a million,
>
> Mark
>
>
>
> -------------------------------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
