Victor, CRYPT uses the Unix Crypt <https://en.wikipedia.org/wiki/Crypt_(Unix)> algorithm, which like MD5 is a one way hash. So there is no specific algorithm available that will provide the original password. When using these encryptions, jetty takes newly provided credentials from the request and re-applies the hash to see if the same encrypted result is obtained. It cannot recover the original password.
However both MD5 and UnixCrypt are not strong encryptions and brute force algorithms can be applied to recover a "password" in a short period of time. Note however that I say "password", as it may not actually be the original password, but another one that just happens to generate the same hash. In order to store strongly encrypted passwords in the XML, you will need access to a private key in order to decrypt them at start up time. This could be in a file, but would then be no more secure than the XML. The other alternative is to prompt the user for a passphrase at startup, but this will make automatic start impossible. In short, either the XML has the credentials, in which case it is protected only be file/user privileges, or you need to come up with some other mechanism to provide the credentials at runtime that meets your operational requirements. regards On 2 January 2018 at 08:00, Víctor Martínez <[email protected]> wrote: > Hi Joakim, > > Yes I'll try that avenue. In fact, which algorithm should I used to > decrypt the CRYPT string outputted with "java -cp > lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password > me blah" previously encrypted by me? > > Thanks , > vtez > > On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[email protected]> wrote: > >> The org.eclipse.jetty.util.security.Password is for password obfuscation >> (OBF:) and verification (MD5: CRYPT:). >> Its meant to prevent casual discovery of the password. >> >> If an undesired user has access the XML, then they have the means to >> deobfuscate / decrypt the password too. >> This fundamental truth remains unchanged no matter how complicated you >> make the obfuscation. (the org.eclipse.jetty.util.security.Password is >> present and must be able to deobfuscate for it to work) >> >> We have no feature in Jetty itself to encrypt/decrypt a password during >> XML usage. >> But that doesn't prevent you from creating your own class to do that. >> >> You can call an arbitrary class/method in the XML and have it return the >> String form, just like you see in the linked documentation you provided. >> >> Aka ... >> >> <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> >> <Arg></Arg> >> <Arg>jdbc/DSTest</Arg> >> <Arg> >> <New class="com.jolbox.bonecp.BoneCPDataSource"> >> <Set name="driverClass">com.mysql.jdbc.Driver</Set> >> <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> >> <Set name="username">dbuser</Set> >> <Set name="password"> >> *<Call class="org.eclipse.jetty.util.security.Password" >> name="deobfuscate">* >> * >> <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>* >> * </Call>* >> </Set> >> <Set name="minConnectionsPerPartition">5</Set> >> <Set name="maxConnectionsPerPartition">50</Set> >> <Set name="acquireIncrement">5</Set> >> <Set name="idleConnectionTestPeriod">30</Set> >> </New> >> </Arg> >> </New> >> >> The org.eclipse.jetty.util.security.Password.deobfuscate(String) static >> method exists here ... >> https://github.com/eclipse/jetty.project/blob/jetty-9.4. >> 8.v20171121/jetty-util/src/main/java/org/eclipse/jetty/ >> util/security/Password.java#L181-L209 >> >> So, create your own class/static method. >> Put it in the server classpath, and you should be able to use it from the >> XML for your own purposes. >> >> Eg: >> >> <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> >> <Arg></Arg> >> <Arg>jdbc/DSTest</Arg> >> <Arg> >> <New class="com.jolbox.bonecp.BoneCPDataSource"> >> <Set name="driverClass">com.mysql.jdbc.Driver</Set> >> <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> >> <Set name="username">dbuser</Set> >> <Set name="password"> >> *<Call class="net.vmartinez.util.SecurePassword" >> name="localDecrypt">* >> * >> <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>* >> * </Call>* >> </Set> >> <Set name="minConnectionsPerPartition">5</Set> >> <Set name="maxConnectionsPerPartition">50</Set> >> <Set name="acquireIncrement">5</Set> >> <Set name="idleConnectionTestPeriod">30</Set> >> </New> >> </Arg> >> </New> >> >> Things to consider: >> >> - The decryption routines should use some information from the >> machine / os / install for a successful decrypt. >> - A unsuccessful decrypt should throw a RuntimeException indicating a >> failed decrypt, but with as little detail information as you can get away >> with (don't want to help nefarious folks in your logs). >> - Consider including the cipher algorithm in the arguments to >> localDecrypt() >> - Perhaps the arguments should only reference a needed password by >> id, and the local install knows which one to return (useful for >> differences >> in DEV/TEST/CI/QA/PROD) >> >> >> >> Joakim Erdfelt / [email protected] >> >> On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[email protected]> >> wrote: >> >>> Hi, >>> >>> I have created a JNDI resource to be able to connect to PostgreSQL with >>> SSL. Is it possible to encrypt the password for a JNDI resource defined in >>> the jetty-env.xml file, instead of just using obfuscation? I'm talking >>> about this: http://www.eclipse.org/jetty/documentation/current/ >>> configuring-security-secure-passwords.html. >>> >>> Regards, >>> vtez >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
