Understood. Thanks for the information. Regards.
On Tue, 2 Jan 2018 at 09:41 Greg Wilkins <[email protected]> wrote: > > Victor, > > CRYPT uses the Unix Crypt <https://en.wikipedia.org/wiki/Crypt_(Unix)> > algorithm, which like MD5 is a one way hash. So there is no specific > algorithm available that will provide the original password. When using > these encryptions, jetty takes newly provided credentials from the request > and re-applies the hash to see if the same encrypted result is obtained. > It cannot recover the original password. > > However both MD5 and UnixCrypt are not strong encryptions and brute force > algorithms can be applied to recover a "password" in a short period of > time. Note however that I say "password", as it may not actually be the > original password, but another one that just happens to generate the same > hash. > > In order to store strongly encrypted passwords in the XML, you will need > access to a private key in order to decrypt them at start up time. This > could be in a file, but would then be no more secure than the XML. The > other alternative is to prompt the user for a passphrase at startup, but > this will make automatic start impossible. > > In short, either the XML has the credentials, in which case it is > protected only be file/user privileges, or you need to come up with some > other mechanism to provide the credentials at runtime that meets your > operational requirements. > > regards > > > > On 2 January 2018 at 08:00, Víctor Martínez <[email protected]> wrote: > >> Hi Joakim, >> >> Yes I'll try that avenue. In fact, which algorithm should I used to >> decrypt the CRYPT string outputted with "java -cp >> lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password >> me blah" previously encrypted by me? >> >> Thanks , >> vtez >> >> On Fri, 29 Dec 2017 at 14:21 Joakim Erdfelt <[email protected]> wrote: >> >>> The org.eclipse.jetty.util.security.Password is for password obfuscation >>> (OBF:) and verification (MD5: CRYPT:). >>> Its meant to prevent casual discovery of the password. >>> >>> If an undesired user has access the XML, then they have the means to >>> deobfuscate / decrypt the password too. >>> This fundamental truth remains unchanged no matter how complicated you >>> make the obfuscation. (the org.eclipse.jetty.util.security.Password is >>> present and must be able to deobfuscate for it to work) >>> >>> We have no feature in Jetty itself to encrypt/decrypt a password during >>> XML usage. >>> But that doesn't prevent you from creating your own class to do that. >>> >>> You can call an arbitrary class/method in the XML and have it return the >>> String form, just like you see in the linked documentation you provided. >>> >>> Aka ... >>> >>> <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> >>> <Arg></Arg> >>> <Arg>jdbc/DSTest</Arg> >>> <Arg> >>> <New class="com.jolbox.bonecp.BoneCPDataSource"> >>> <Set name="driverClass">com.mysql.jdbc.Driver</Set> >>> <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> >>> <Set name="username">dbuser</Set> >>> <Set name="password"> >>> *<Call class="org.eclipse.jetty.util.security.Password" >>> name="deobfuscate">* >>> * >>> <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg>* >>> * </Call>* >>> </Set> >>> <Set name="minConnectionsPerPartition">5</Set> >>> <Set name="maxConnectionsPerPartition">50</Set> >>> <Set name="acquireIncrement">5</Set> >>> <Set name="idleConnectionTestPeriod">30</Set> >>> </New> >>> </Arg> >>> </New> >>> >>> The org.eclipse.jetty.util.security.Password.deobfuscate(String) static >>> method exists here ... >>> >>> https://github.com/eclipse/jetty.project/blob/jetty-9.4.8.v20171121/jetty-util/src/main/java/org/eclipse/jetty/util/security/Password.java#L181-L209 >>> >>> So, create your own class/static method. >>> Put it in the server classpath, and you should be able to use it from >>> the XML for your own purposes. >>> >>> Eg: >>> >>> <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> >>> <Arg></Arg> >>> <Arg>jdbc/DSTest</Arg> >>> <Arg> >>> <New class="com.jolbox.bonecp.BoneCPDataSource"> >>> <Set name="driverClass">com.mysql.jdbc.Driver</Set> >>> <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> >>> <Set name="username">dbuser</Set> >>> <Set name="password"> >>> *<Call class="net.vmartinez.util.SecurePassword" >>> name="localDecrypt">* >>> * >>> <Arg>VGhpcyBpcyB3aGVyZSB5b3VyIGVuY3J5cHRlZCBwYXNzd29yZCBzaG91bGQgYmU=</Arg>* >>> * </Call>* >>> </Set> >>> <Set name="minConnectionsPerPartition">5</Set> >>> <Set name="maxConnectionsPerPartition">50</Set> >>> <Set name="acquireIncrement">5</Set> >>> <Set name="idleConnectionTestPeriod">30</Set> >>> </New> >>> </Arg> >>> </New> >>> >>> Things to consider: >>> >>> - The decryption routines should use some information from the >>> machine / os / install for a successful decrypt. >>> - A unsuccessful decrypt should throw a RuntimeException indicating >>> a failed decrypt, but with as little detail information as you can get >>> away >>> with (don't want to help nefarious folks in your logs). >>> - Consider including the cipher algorithm in the arguments to >>> localDecrypt() >>> - Perhaps the arguments should only reference a needed password by >>> id, and the local install knows which one to return (useful for >>> differences >>> in DEV/TEST/CI/QA/PROD) >>> >>> >>> >>> Joakim Erdfelt / [email protected] >>> >>> On Fri, Dec 29, 2017 at 6:39 AM, Víctor Martínez <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I have created a JNDI resource to be able to connect to PostgreSQL with >>>> SSL. Is it possible to encrypt the password for a JNDI resource defined in >>>> the jetty-env.xml file, instead of just using obfuscation? I'm talking >>>> about this: http://www.eclipse >>>> .org/jetty/documentation/current/configuring-security-secure-passwords.html. >>>> >>>> Regards, >>>> vtez >>>> >>>> _______________________________________________ >>>> jetty-users mailing list >>>> [email protected] >>>> To change your delivery options, retrieve your password, or unsubscribe >>>> from this list, visit >>>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>>> >>> >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > > -- > Greg Wilkins <[email protected]> CTO http://webtide.com > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
