Hi Joakim, Yes I'll try that avenue. In fact, which algorithm should I used to decrypt the CRYPT string outputted with "java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah" previously encrypted by me ?
Thanks , vtez On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[email protected]> wrote: > The org.eclipse.jetty.util.security.Password is for password obfuscation > (OBF:) and verification (MD5: CRYPT:). > Its meant to prevent casual discovery of the password. > > If an undesired user has access the XML, then they have the means to > deobfuscate / decrypt the password too. > This fundamental truth remains unchanged no matter how complicated you > make the obfuscation. (the org.eclipse.jetty.util.security.Password is > present and must be able to deobfuscate for it to work) > > We have no feature in Jetty itself to encrypt/decrypt a password during > XML usage. > But that doesn't prevent you from creating your own class to do that. > > You can call an arbitrary class/method in the XML and have it return the > String form, just like you see in the linked documentation you provided. > > Aka ... > > <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> > <Arg></Arg> > <Arg>jdbc/DSTest</Arg> > <Arg> > <New class="com.jolbox.bonecp.BoneCPDataSource"> > <Set name="driverClass">com.mysql.jdbc.Driver</Set> > <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> > <Set name="username">dbuser</Set> > <Set name="password"> > *<Call class="org.eclipse.jetty.util.security.Password" > name="deobfuscate">* > * > <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>* > * </Call>* > </Set> > <Set name="minConnectionsPerPartition">5</Set> > <Set name="maxConnectionsPerPartition">50</Set> > <Set name="acquireIncrement">5</Set> > <Set name="idleConnectionTestPeriod">30</Set> > </New> > </Arg> > </New> > > The org.eclipse.jetty.util.security.Password.deobfuscate(String) static > method exists here ... > > https://github.com/eclipse/jetty.project/blob/jetty-9.4.8.v20171121/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java#L181-L209 > > So, create your own class/static method. > Put it in the server classpath, and you should be able to use it from the > XML for your own purposes. > > Eg: > > <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> > <Arg></Arg> > <Arg>jdbc/DSTest</Arg> > <Arg> > <New class="com.jolbox.bonecp.BoneCPDataSource"> > <Set name="driverClass">com.mysql.jdbc.Driver</Set> > <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> > <Set name="username">dbuser</Set> > <Set name="password"> > *<Call class="net.vmartinez.util.SecurePassword" > name="localDecrypt">* > * > <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>* > * </Call>* > </Set> > <Set name="minConnectionsPerPartition">5</Set> > <Set name="maxConnectionsPerPartition">50</Set> > <Set name="acquireIncrement">5</Set> > <Set name="idleConnectionTestPeriod">30</Set> > </New> > </Arg> > </New> > > Things to consider: > > - The decryption routines should use some information from the machine > / os / install for a successful decrypt. > - A unsuccessful decrypt should throw a RuntimeException indicating a > failed decrypt, but with as little detail information as you can get away > with (don't want to help nefarious folks in your logs). > - Consider including the cipher algorithm in the arguments to > localDecrypt() > - Perhaps the arguments should only reference a needed password by id, > and the local install knows which one to return (useful for differences in > DEV/TEST/CI/QA/PROD) > > > > Joakim Erdfelt / [email protected] > > On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[email protected]> > wrote: > >> Hi, >> >> I have created a JNDI resource to be able to connect to PostgreSQL with >> SSL. Is it possible to encrypt the password for a JNDI resource defined in >> the jetty-env.xml file, instead of just using obfuscation? I'm talking >> about this: http://www.eclipse >> .org/jetty/documentation/current/configuring-security-secure-passwords.html. >> >> Regards, >> vtez >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
