Version 15

    The org.jboss.security.plugins.JaasSecurityDomain is an extension of the

    JaasSecurityManager that adds the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases.

     

    Attributes

    • KeyStoreType: The implementation type name being used, defaults to 'JKS'.

    • KeyStoreURL: Set the KeyStore database URL string. This is used to obtain an InputStream to initialize the KeyStore. If the string is not in the URL format it is treated as a file.

    • KeyStorePass: the password used to load the KeyStore. The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key used with the encode/decode operations. The KeyStorePass attribute value format is one of:

      • The plaintext password for the KeyStore(or whatever format is used by the KeyStore). The toCharArray() value of the string is used without any manipulation.

      • A command to execute to obtain the plaintext password. The format is

    '{EXT}command'
    

    where 'command' is the exact command line that will be passed to the Runtime.exec(String) method to execute a platform command. The first line of the command output is used as the password.

      • A class to create to obtain the plaintext password. The format is

      '{CLASS}classname[:ctorarg]'

      where the

      '[:ctorarg]'

      is an optional string delimited by the ':' from the classname that will be passed to the classname constructor (ctor). The password is obtained from classname by invoking a 'char[] toCharArray()' method if found, otherwise, the 'String toString()' method is used.

      • TrustStoreType: The trust store implementation type name being used, defaults to 'JKS'.

      • TrustStoreURL: Set the TrustStore database URL string. This is used to obtain an InputStream to initialize the TrustStore. If the string is not in the URL format it is treated as a file.

      • TrustStorePass: the password used to load the KeyStore. The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key used with the encode/decode operations. It supports the same format as the KeyStorePass.

      • ManagerServiceName: The JMX object name string of the security manager service that the domain registers with to function as a security manager for the security domain name passed to the ctor. This makes the JaasSecurityDomain available under the standard JNDI java:/jaas/(domain) binding.

      • LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider security provider should be loaded on startup. This is needed when using the Sun JSSE jars without them installed as an extension with JDK 1.3. This should be set to false with JDK 1.4 or when using an alternate JSSE provider.

      • CipherAlgorithm : The encryption cipher algorithm to use. This can be any algorithm available in the JDK. The default is PBEwithMD5andDES.

      • Salt: The javax.crypto.spec.PBEParameterSpec salt value.

      • IterationCount: The javax.crypto.spec.PBEParameterSpec iteration count value.

       

      Attributes (available as of EAP 4.2 CP08, EAP 4.3 CP06 and AS 5.2 Beta)

      • KeyStoreAlias: Alias of the KeyStore with the certificate to be used.
      • KeyStoreProvider: Security provider of the KeyStore.
      • KeyManagerFactoryProvider: Security provider of the KeyManagerFactory.
      • KeyManagerFactoryAlgorithm: Algorithm of the KeyManagerFactory.
      • TrustStoreProvider: Security provider of the TrustStore.
      • TrustManagerFactoryProvider: Security provider of the TrustManagerFactory.
      • TrustManagerFactoryAlgorithm: Algorithm of the TrustManagerFactory.

       

      Available
      '{CLASS}classname[:ctorarg]'
      implementations

      There are a number of bundled implementations of classes for obtaining the KeyStorePass value. These currently include:

      • org.jboss.security.plugins.ConsolePassword : Read a password from the System.in stream. This may be used as a password accessor in conjunction with the JaasSecurityDomain.

      org.jboss.security.plugins.ConsolePassword format of the KeyStorePassword atrribute.

      • org.jboss.security.plugins.FilePassword : Read a password in opaque form to a file for use with the FilePassword accessor in conjunction with the JaasSecurityDomain.

        org.jboss.security.plugins.FilePassword:password-file format of the KeyStorePass attribute. The original opaque password file can be created by running:

         java org.jboss.security.plugins.FilePassword salt count password password-file 

        Running

        java org.jboss.security.plugins.FilePassword

        will generate an usage message. Note that this is security by obscurity in that the password is not store in plaintext, but it can be recovered by simply using the code from this class.

      • org.jboss.security.plugins.TmpFilePassword : Read a password from a file specified via the ctor and then overwrite the file contents with garbage, and then remove it. This may be used as a password accessor in conjunction with the JaasSecurityDomain. org.jboss.security.plugins.TmpFilePassword:password-file format of the KeyStorePass attribute.