Hello Indika, That fine, thanks very much for that.
Kim -----Original Message----- From: indika kumara [mailto:[email protected]] Sent: Monday, 6 April 2009 3:44 PM To: [email protected] Subject: Re: Can VFS SFTP Passwords be encrypted Hi I feel your requirements are wide. I feel I will not have enough time. I just put how to use what I did to get secure passwords. You have to incorporate these changes into what you have done. I am sorry; I will not have time to do these for this release to cater each requirement of you. But, I will definitely do this for next release. I hope following will help. Please Note: You have to follow - Synapse_Samples_Setup.html under section Securing Password and Setting up Synapse DataSources VFS listener case <parameter name="transport.vfs.password>alias password</parameter> <parameter name="transport.vfs.passwordProvider>org.apache.synapse.security.secret.handler.SecretManagerSecretCallbackHandler </parameter> And considering that above two properties has been resolved and create an instance of SecretCallbackHandler as bellow. SecretCallbackHandler passwordProvider = SecretCallbackHandlerFactorycreateSecretCallbackHandler(provider); Then the method similar to flowing (method is from 'DataSourceInformation.java') , can be used to get actual password. /** * Get actual password based on SecretCallbackHandler and alias password * If SecretCallbackHandler is null, then returns alias password * @return Actual password */ public String getResolvedPassword() { if (passwordProvider != null) { if (aliasPassword != null && !"".equals(aliasPassword)) { SecretLoadingModule secretLoadingModule = new SecretLoadingModule(); secretLoadingModule.init(new SecretCallbackHandler[]{passwordProvider}); SingleSecretCallback secretCallback = new SingleSecretCallback(DataSourceConfigurationConstants.PROMPT, aliasPassword); SecretCallback[] secretCallbacks = new SecretCallback[]{secretCallback}; secretLoadingModule.load(secretCallbacks); return secretCallback.getSecret(); } } return aliasPassword; } To resolved many passwords, it can be used logic something similar to bellow(This code from 'SecretManager.java'). String identityStorePass; String identityKeyPass; String trustStorePass; // Creating required password class backs SingleSecretCallback trustStorePassSecretCallback = new SingleSecretCallback(TRUSTSTORE_PASSWORD_PROMPT, TRUSTSTORE_PASSWORD_ID); SingleSecretCallback identityStorePassSecretCallback = new SingleSecretCallback(IDENTITYSTORE_PASSWORD_PROMPT, IDENTITYSTORE_PASSWORD_ID); SingleSecretCallback identityKeyPassSecretCallback = new SingleSecretCallback(IDENTITYSTORE_PRIVATE_KEY_PASSWORD_PROMPT, IDENTITYSTORE_PRIVATE_KEY_PASSWORD_ID); // Group all as a one callback MultiSecretCallback callback = new MultiSecretCallback(); callback.addSecretCallback(trustStorePassSecretCallback); callback.addSecretCallback(identityStorePassSecretCallback); callback.addSecretCallback(identityKeyPassSecretCallback); SecretCallback[] secretCallbacks = new SecretCallback[]{callback}; // Create and initiating SecretLoadingModule SecretLoadingModule secretLoadingModule = new SecretLoadingModule(); secretLoadingModule.init(new SecretCallbackHandler[]{secretCallbackHandler}); //load passwords secretLoadingModule.load(secretCallbacks); identityKeyPass = identityKeyPassSecretCallback.getSecret(); identityStorePass = identityStorePassSecretCallback.getSecret(); trustStorePass = trustStorePassSecretCallback.getSecret(); Thanks Indika On Mon, Apr 6, 2009 at 10:04 AM, Kim Horn <[email protected]> wrote: > OK that would be great, note we are also doing it using a class mediator for > HTTP Transport and WS_Security. > > Thanks > Kim > > -----Original Message----- > From: indika kumara [mailto:[email protected]] > Sent: Monday, 6 April 2009 2:24 PM > To: [email protected] > Subject: Re: Can VFS SFTP Passwords be encrypted > > How to secure password in data sources is in document - > Synapse_Samples_Setup.html under section Securing Password and Setting > up Synapse DataSources . I will try to add this to VFS too. > > Indika > > On Mon, Apr 6, 2009 at 7:28 AM, Kim Horn <[email protected]> wrote: >> Are these security fixes for Data source going into 1.3 ? >> If not then an interim hack really needs to be done; we just cannot use >> Synapse at all with passwords in Clear Text. >> Suggestions: >> >> 1) Implement an interface that does de-cryption; so user can supply >> Their own code whatever that is. So specify a decrypt method that takes a >> string and returns a string. >> >> 2) To fix Data sources add a parameter: >> <decryption-class>class-Name</ decryption-class> >> - this takes the supplied password in current <password> tag and gets the >> decrypted password from class above. >> >> 3) To fix VFS need to supply new set of URL options: >> <host-path>host-name:port/path</host-path> >> <user>synapse</user> >> <password>encrypted-password</password> >> <decryption-class>class-Name</ decryption-class> >> >> - given the above the current <parameter name="transport.vfs.FileURI"> can >> be built. >> To be consistent with the strange VFS parameters the above can be changed to >> something like: >> >> <parameter name="transport.vfs.hostPath>host-name:port/path</parameter> >> <parameter name="transport.vfs.user>username</parameter> >> <parameter name="transport.vfs.password>encrypted-password</parameter> >> <parameter name="transport.vfs.decryptionClass>class-Name</parameter> >> >> >> If people agree to this I will create a Jira and start to do the work. >> >> >> Kim >> >> >> >> >> >> -----Original Message----- >> From: Andreas Veithen [mailto:[email protected]] >> Sent: Friday, 3 April 2009 5:54 AM >> To: [email protected] >> Subject: Re: Can VFS SFTP Passwords be encrypted >> >> I agree that it should be possible to use all Synapse features without >> having to store cleartext passwords in the config files (and without >> having them appear in log files). >> >> Just some random ideas about this topic: >> >> * Indika implemented a mechanism for exactly this, but for the moment >> this is limited to data sources. There is some documentation about >> this feature, but it is somewhat hidden in the Sample Setup guide. We >> should have this documentation in a more prominent place. Maybe as a >> subsection in the new Deployment guide? >> >> * As an alternative to usernames and passwords encoded in URLs, >> Commons VFS supports authentication by passing a >> org.apache.commons.vfs.UserAuthenticator object to the file system >> provider. Maybe we should define a property in the message context to >> allow to pass such an object to the transport. Alternatively we could >> write an adapter so that we can handle e.g. HTTPS and VFS >> authentication in the same way. >> >> * We should then have a mediator that builds the UserAuthenticator >> using the password encryption mechanisms implemented by Indika. >> >> Any thoughts? >> >> Andreas >> >> On Thu, Apr 2, 2009 at 00:34, Kim Horn <[email protected]> wrote: >>> It may, we are given simple text passwords by systems we have to >>> interface too. FTP is still the largest B2B mechanism in the US :-). We >>> cannot ask them to supply us anything else but a simple >>> username/password; this is the reality of B2B. The only issue we have >>> is that these are not kept in clear text in script files. In our domain >>> this is illegal and in all other domains bad practise. So all we >>> require is to be able to have these encrypted in any script files. I >>> think this Jira suggests a stronger mechanism, sharing keys between SFTP >>> servers, but is totally impractical in real world B2B. >>> >>> >>> Kim >>> >>> -----Original Message----- >>> From: Asankha Perera [mailto:[email protected]] On Behalf Of >>> Asankha C. Perera >>> Sent: Thursday, 2 April 2009 3:48 AM >>> To: [email protected] >>> Subject: Re: Can VFS SFTP Passwords be encrypted >>> >>> Hi Jay / Kim >>>> A suggestion. SFTP can use PKI shared keys for authentication. The >>> keys are host+user specific. >>>> >>>> I am not familiar enough with Synapse to know exactly how you'd go >>> about it, but I do suggest that the answer lies in using PKI. >>>> >>> I guess https://issues.apache.org/jira/browse/SYNAPSE-507 is a proper >>> solution for this.. and possibly we could already tweak VFS to do this.. >>> >>> cheers >>> asankhaa >>> >>> -- >>> Asankha C. Perera >>> AdroitLogic, http://adroitlogic.org >>> >>> http://esbmagic.blogspot.com >>> >>> >>> >>> >>> >> >
