Re: How to encrypt DB password in persistence.xml
Hello, Mike, Do we have a target day for OpenJPA 2.0 GA? From http://openjpa.apache.org/jpa-20-roadmap.html , may I assume it will be released before the end of the year? Both password Encryption and get cache from factory in JPA spec are very useful for me. I use Spring to manager the life circle of manager factory, it's difficult to cast factory into OpenJPAEntityManagerFactory directly. Regards, Yu Wang On Fri, Aug 14, 2009 at 11:27 AM, Michael Dickmichael.d.d...@gmail.com wrote: Hi, OpenJPA doesn't know (or care) how much of the password is encrypted - that determination is up to the encryption provider (ie your code). So if the encryption provider can figure out which parts of the string need to be decrypted and which parts do not then you should be set. I just reopened the issue to port it to version 1.3.0 so this feature will be available in the next major (2.0.0) and minor (1.3.0) versions of OpenJPA. In the mean time you can grab a nightly build from the builds pagehttp://openjpa.apache.org/downloads.html (look for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this weekend too. -mike On Thu, Aug 13, 2009 at 8:58 PM, wang yu wangy...@gmail.com wrote: Mike, Thanks a lot! Since I used DBCP datasource as following: property name=openjpa.ConnectionProperties value=driverClassName=oracle.jdbc.driver.OracleDriver, url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX, maxActive=8, maxWait=1, poolPreparedStatements=true / May I encrypt a sub string of property value rather than full property value string? Anyway, when will this feature be available? In a new release or a rolling patch? Regards, Yu Wang On Fri, Aug 7, 2009 at 9:33 PM, Michael Dickmichael.d.d...@gmail.com wrote: Hi Yu, At the moment our support allows you to specify an 'Encryption Provider' which handles the encryption / decryption of a password. We aren't providing a tool to do the actual encryption - just a plugin point for other tools. It sounds like you have written the encryption code in your extension for DBCP so it should be fairly easy to wrap in an encryption provider. Hope this helps, -mike On Fri, Aug 7, 2009 at 1:25 AM, wang yu wangy...@gmail.com wrote: Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Hi, Yes, we do have plans to GA OpenJPA 2.0 before the end of the year, but it all depends on external factors which we have little control over. We need a finalized spec from the JCP -- current target date of Nov 16, 2009. And, we need a TCK (test suite) delivered at approximately the same timeframe. Then, we need to work through that TCK so that we can claim compliance. Overall, our OpenJPA 2.0 development and testing has been going quite well, so we're hoping for the same when using the TCK... Kevin On Tue, Sep 1, 2009 at 4:58 AM, wang yu wangy...@gmail.com wrote: Hello, Mike, Do we have a target day for OpenJPA 2.0 GA? From http://openjpa.apache.org/jpa-20-roadmap.html , may I assume it will be released before the end of the year? Both password Encryption and get cache from factory in JPA spec are very useful for me. I use Spring to manager the life circle of manager factory, it's difficult to cast factory into OpenJPAEntityManagerFactory directly. Regards, Yu Wang On Fri, Aug 14, 2009 at 11:27 AM, Michael Dickmichael.d.d...@gmail.com wrote: Hi, OpenJPA doesn't know (or care) how much of the password is encrypted - that determination is up to the encryption provider (ie your code). So if the encryption provider can figure out which parts of the string need to be decrypted and which parts do not then you should be set. I just reopened the issue to port it to version 1.3.0 so this feature will be available in the next major (2.0.0) and minor (1.3.0) versions of OpenJPA. In the mean time you can grab a nightly build from the builds pagehttp://openjpa.apache.org/downloads.html (look for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this weekend too. -mike On Thu, Aug 13, 2009 at 8:58 PM, wang yu wangy...@gmail.com wrote: Mike, Thanks a lot! Since I used DBCP datasource as following: property name=openjpa.ConnectionProperties value=driverClassName=oracle.jdbc.driver.OracleDriver, url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX, maxActive=8, maxWait=1, poolPreparedStatements=true / May I encrypt a sub string of property value rather than full property value string? Anyway, when will this feature be available? In a new release or a rolling patch? Regards, Yu Wang On Fri, Aug 7, 2009 at 9:33 PM, Michael Dickmichael.d.d...@gmail.com wrote: Hi Yu, At the moment our support allows you to specify an 'Encryption Provider' which handles the encryption / decryption of a password. We aren't providing a tool to do the actual encryption - just a plugin point for other tools. It sounds like you have written the encryption code in your extension for DBCP so it should be fairly easy to wrap in an encryption provider. Hope this helps, -mike On Fri, Aug 7, 2009 at 1:25 AM, wang yu wangy...@gmail.com wrote: Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Mike, Thanks a lot! Since I used DBCP datasource as following: property name=openjpa.ConnectionProperties value=driverClassName=oracle.jdbc.driver.OracleDriver, url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX, maxActive=8, maxWait=1, poolPreparedStatements=true / May I encrypt a sub string of property value rather than full property value string? Anyway, when will this feature be available? In a new release or a rolling patch? Regards, Yu Wang On Fri, Aug 7, 2009 at 9:33 PM, Michael Dickmichael.d.d...@gmail.com wrote: Hi Yu, At the moment our support allows you to specify an 'Encryption Provider' which handles the encryption / decryption of a password. We aren't providing a tool to do the actual encryption - just a plugin point for other tools. It sounds like you have written the encryption code in your extension for DBCP so it should be fairly easy to wrap in an encryption provider. Hope this helps, -mike On Fri, Aug 7, 2009 at 1:25 AM, wang yu wangy...@gmail.com wrote: Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Hi, OpenJPA doesn't know (or care) how much of the password is encrypted - that determination is up to the encryption provider (ie your code). So if the encryption provider can figure out which parts of the string need to be decrypted and which parts do not then you should be set. I just reopened the issue to port it to version 1.3.0 so this feature will be available in the next major (2.0.0) and minor (1.3.0) versions of OpenJPA. In the mean time you can grab a nightly build from the builds pagehttp://openjpa.apache.org/downloads.html (look for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this weekend too. -mike On Thu, Aug 13, 2009 at 8:58 PM, wang yu wangy...@gmail.com wrote: Mike, Thanks a lot! Since I used DBCP datasource as following: property name=openjpa.ConnectionProperties value=driverClassName=oracle.jdbc.driver.OracleDriver, url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX, maxActive=8, maxWait=1, poolPreparedStatements=true / May I encrypt a sub string of property value rather than full property value string? Anyway, when will this feature be available? In a new release or a rolling patch? Regards, Yu Wang On Fri, Aug 7, 2009 at 9:33 PM, Michael Dickmichael.d.d...@gmail.com wrote: Hi Yu, At the moment our support allows you to specify an 'Encryption Provider' which handles the encryption / decryption of a password. We aren't providing a tool to do the actual encryption - just a plugin point for other tools. It sounds like you have written the encryption code in your extension for DBCP so it should be fairly easy to wrap in an encryption provider. Hope this helps, -mike On Fri, Aug 7, 2009 at 1:25 AM, wang yu wangy...@gmail.com wrote: Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Hi Yu, At the moment our support allows you to specify an 'Encryption Provider' which handles the encryption / decryption of a password. We aren't providing a tool to do the actual encryption - just a plugin point for other tools. It sounds like you have written the encryption code in your extension for DBCP so it should be fairly easy to wrap in an encryption provider. Hope this helps, -mike On Fri, Aug 7, 2009 at 1:25 AM, wang yu wangy...@gmail.com wrote: Rick, Thank you for your information. I have resolved this issue by modifying dbcp source code. The bad part is dbcp can be built with jdk 1.4 only which made build system little bit complicated:-) If you can deliver encryption feature in next release, I'll be very pleased to use it. Regards, Yu Wang On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtiscurti...@gmail.com wrote: Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Yu Wang - OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a change was made. Thanks - Rick [1] https://issues.apache.org/jira/browse/OPENJPA-1089 -- View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Kevin, Thanks for your patient answer. I'll try to resolve it in dbcp community. Cheers, Yu Wang On Mon, May 18, 2009 at 9:03 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi Yu Wang, My apologies, but I'm not an expert with DBCP. I just thought I would do a quick Google search to see what's out there and I found a few hits, one of which I posted to my previous reply. Since you seem to be interested in encrypting the password being sent in to DBCP, you will probably need to do something specific with the DBCP implementation either by modifying it directly (like you mentioned in one of your replies) or maybe by extending the BasicDataSource (my reference). I don't have any direct experience with either approach. You might want to try posting your question to the DBCP group [1]. Please keep us informed of your progress. Thanks. Kevin [1] http://commons.apache.org/dbcp/ On Mon, May 18, 2009 at 2:47 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thanks. The link you gave indicate how to extend BasicDataSourceFactory. But I guess this approach isn't feasible for OpenJPA. I need to extend BasicDataSource directly, right? And you mentioned there were other instructions on extending the BasicDataSource. Can you make it clearer?I found extending BasicDataSource isn't very straightforward. Regards, Yu Wang On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Hi Kevin, Thanks. The link you gave indicate how to extend BasicDataSourceFactory. But I guess this approach isn't feasible for OpenJPA. I need to extend BasicDataSource directly, right? And you mentioned there were other instructions on extending the BasicDataSource. Can you make it clearer?I found extending BasicDataSource isn't very straightforward. Regards, Yu Wang On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Hi Yu Wang, My apologies, but I'm not an expert with DBCP. I just thought I would do a quick Google search to see what's out there and I found a few hits, one of which I posted to my previous reply. Since you seem to be interested in encrypting the password being sent in to DBCP, you will probably need to do something specific with the DBCP implementation either by modifying it directly (like you mentioned in one of your replies) or maybe by extending the BasicDataSource (my reference). I don't have any direct experience with either approach. You might want to try posting your question to the DBCP group [1]. Please keep us informed of your progress. Thanks. Kevin [1] http://commons.apache.org/dbcp/ On Mon, May 18, 2009 at 2:47 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thanks. The link you gave indicate how to extend BasicDataSourceFactory. But I guess this approach isn't feasible for OpenJPA. I need to extend BasicDataSource directly, right? And you mentioned there were other instructions on extending the BasicDataSource. Can you make it clearer?I found extending BasicDataSource isn't very straightforward. Regards, Yu Wang On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
We have a similar feature in Apache Geronimo for our config.xml and deployment plans. The only downside of adding this to OpenJPA, is we would then have to follow the ASF Cryptography release guidelines at - http://www.apache.org/dev/crypto.html since we would be using encryption/decryption (even if provided by the JVM). Not a biggie, but adds a few steps to the release process... -Donald Kevin Sutter wrote: Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Thanks for the insights, Donald. And, thanks for posting this info to the JIRA Issue (openjpa-1089) as well. Kevin On Fri, May 15, 2009 at 10:25 AM, Donald Woods dwo...@apache.org wrote: We have a similar feature in Apache Geronimo for our config.xml and deployment plans. The only downside of adding this to OpenJPA, is we would then have to follow the ASF Cryptography release guidelines at - http://www.apache.org/dev/crypto.html since we would be using encryption/decryption (even if provided by the JVM). Not a biggie, but adds a few steps to the release process... -Donald Kevin Sutter wrote: Hi Yu Wang, Or, you could develop an answer for OpenJPA and contribute it back to the project... :-) Providing an encryption capability for persistence.xml password values would be a nice feature. But, this would probably only apply to our openjpa.* properties... In your particular case where you are passing in all of the parameters to dbcp, I don't see how OpenJPA could help in this case. The URL is just passed through to dbcp, so any decryption of a password field would need to be provided by dbcp. I did a quick search on this topic and found a few hits related to encrypting passwords used for dbcp. One link [1] indicated that using Tomcat 6.0 makes this a bit easier, but there were other instructions on extending the BasicDataSource. This link was specific to Tomcat's server.xml, but the idea could probably be extended to the persistence.xml. Let us know what you come up with. Thanks, Kevin [1] http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi On Fri, May 15, 2009 at 2:33 AM, wang yu wangy...@gmail.com wrote: Hi Kevin, Thank you. You had real good solutions but unfortunately neither of them is feasible for our project. We use Apache dbcp datasource to leverage DB connection pool and tomcat 5.5 as app server. Following is a fragment of our persistence.xml: property name=openjpa.ConnectionDriverName value=org.apache.commons.dbcp.BasicDataSource / property name=openjpa.ConnectionProperties value=driverClassName=org.apache.derby.jdbc.ClientDriver, url=jdbc:derby://localhost:1527/TSAM;create=true, username=app, password=app, maxActive=30, maxWait=1, poolPreparedStatements=true / How to encrypt password under this situation? Or should I adopt alternative connection pool implementation to make password encryption easier? if no better solution, I guess I only have two choices 1. Give up apache dbcp. 2. Modify source code of apache dbcp. Regards, Yu Wang On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter kwsut...@gmail.com wrote: Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
Re: How to encrypt DB password in persistence.xml
Hi, JPA does not define this functionality. You could pass in the password via the application instead of hard-coding it in a persistence.xml. Or, if you are in an app server environment, you should use a jndi lookup of a datasource. This would be the most secure. Kevin On Tue, May 12, 2009 at 4:31 AM, wang yu wangy...@gmail.com wrote: As title. Regards, Yu Wang
How to encrypt DB password in persistence.xml
As title. Regards, Yu Wang