(Hope you don't mind me jumping in here.) Perhaps the quickest solution is
just to make the the {db}-ds.xml file read-only for the JBoss account and not
accessible for anyone else. (This should be common practice for any file
containing passwords, regardless of the application.) Further, JBoss should be
running using it's very own (locked) account.
The trouble I see with going to all the effort of encrypting a password in the
{db}-ds.xml file and then decrypting it elsewhere, is that now you've
transferred the problem to how you control that encryption key. You'll likely
be needing to use symmetric encryption with a shared key - assuming you need to
recover the cleartext password for the driver. So now that encryption key
needs to be stored somewhere... Hardcoding the key is a bad practice for
several reasons. Maybe there's a way to use PKE here....but I have to ask:
does the driver send the password across the wire in cleartext to the database?
r,
Lance
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3856140#3856140
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3856140
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
