5 Replies Latest reply on Jul 31, 2008 12:02 AM by balajisaranath

Using custom security domain to use encrypted password

priyankalavti Jul 24, 2008 11:23 PM

Hi Everybody,

My Requirement:
1. remove the usage of cleartext password from mysql-ds.xml
2. Use the custom password manager to retrieve the password

Given Solution by extending the SecureIdentityLoginModule:
JBoss connector APIÃ¢Â€Â™s provides SecureIdentityLoginModule to encrypt database passwords rather than using clear text passwords in the datasource configuration. I have extended this class and overridden the commit method, which will call password manager to retrieve the password.

Problem:
By going thru the custom login module, JBoss JCA takes ~25 milliseconds to return the connection. And this 25 milliseconds doesn't count the time to call password manager. But if I don't use cleartext password, it takes hardly 1 millisecond.

I want to understand:
1. what is done by JCA when login module is used which takes ~25 milliseconds.
2. Is there any way I can configure JBoss JCA to verify the password only for the 1st time, and for the subsequent calls, it just returns the connection in ~1 milliseconds.

Thanks in advance,
Priyanka

1. Re: Using custom security domain to use encrypted password

peterj Jul 25, 2008 11:21 AM (in response to priyankalavti)

Did you set min-pool-size in the *-ds.xml file? If not, try setting is to the number of simultaneous connections that you expect to have and see if that reduces the time.
Actions
2. Re: Using custom security domain to use encrypted password

vickyk Jul 28, 2008 1:44 AM (in response to priyankalavti)

"priyankalavti" wrote:

Problem:
By going thru the custom login module, JBoss JCA takes ~25 milliseconds to return the connection. And this 25 milliseconds doesn't count the time to call password manager. But if I don't use cleartext password, it takes hardly 1 millisecond.

Give us the evidence , we need log details which will indicate what you claim .
Actions
3. Re: Using custom security domain to use encrypted password

priyankalavti Jul 29, 2008 4:05 AM (in response to priyankalavti)

here are the logs after enabling trace on the server.

Please notice the time difference of colored logs.

2008-07-25 16:40:34,369 INFO [STDOUT] Entering getDbConnection method
2008-07-25 16:40:34,370 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=id=admin,ou=user,dc=test,dc=com
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
, this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275], activeUsers=0
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
, this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
2008-07-25 16:40:34,370 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] getIdentity called, username=testuser
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Begin isValid, principal:id=admin,ou=user,dc=test,dc=com, cache info: null
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, principal=id=admin,ou=user,dc=test,dc=com
2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(EncryptDBPassword), size=10
2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(EncryptDBPassword), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.test.security.jboss.loginmodule.DatabaseSecureLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:name=testjndi,service=LocalTxCM
name=password, value=TESTUSER_KEY
name=username, value=testuser

2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.AbstractPasswordCredentialLoginModule1] mcfname: jboss.jca:name=testjndi,service=LocalTxCM
2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] login called
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, lc=javax.security.auth.login.LoginContext@1d71519, subject=Subject(27927662).principals=
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] updateCache, inputSubject=Subject(27927662).principals=, cacheSubject=Subject(20835342).principals=
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@54b8e7[Subject(20835342).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] End isValid, true
2008-07-25 16:40:34,399 INFO [STDOUT] time taken in getDbConnection in millis...30

Regards,
Priyanka
Actions

4. Re: Using custom security domain to use encrypted password

priyankalavti Jul 29, 2008 4:13 AM (in response to priyankalavti)

I am using MySQL database.

The mysql-ds.xml looks like:

<local-tx-datasource>
 <jndi-name>testjndi</jndi-name>
 <connection-url>jdbc:mysql://localhost:3306/</connection-url>
 <security-domain>EncryptDBPassword</security-domain>
 <driver-class>org.gjt.mm.mysql.Driver</driver-class>
 <!--pooling parameters-->
 <min-pool-size>5</min-pool-size>
 <max-pool-size>100</max-pool-size>
 <blocking-timeout-millis>5000</blocking-timeout-millis>
 <idle-timeout-minutes>15</idle-timeout-minutes>
 </local-tx-datasource>

The application policy entry of login-config.xml looks like:

<application-policy name="EncryptDBPassword">
 <authentication>
 <login-module code="com.test.security.jboss.loginmodule.DatabaseSecureLoginModule" flag="required">
 <module-option name="username">testuser</module-option>
 <module-option name="password">TESTUSER_KEY</module-option>
 <module-option name="managedConnectionFactoryName">jboss.jca:name=testjndi,service=LocalTxCM</module-option>
 </login-module>
 </authentication>
 </application-policy>

Regards,
Priyanka

5. Re: Using custom security domain to use encrypted password

balajisaranath Jul 31, 2008 12:02 AM (in response to priyankalavti)

Hi,

This issue has been fixed (atleast for us) using the Caching policies. WE had a DefaultCacheTimeOut of "0" which meant the authenticate() was called everytime in the following piece of code. of the authentication.
The latency that was a problem for us in our design was the authenticate() that created DefaultLoginConfig using reflection. A few milliseconds extra but on a real time server , it was a major impact for us.

Thanks
Bala

Code snippet from the Jboss source code (JaasSecurityManager)

public boolean isValid(Principal principal, Object credential,

 Subject activeSubject)

 {

 // Check the cache first

 DomainInfo cacheInfo = getCacheInfo(principal, true);

 if( trace )

 log.trace("Begin isValid, principal:"+principal+", cache info: "+cacheInfo);



 boolean isValid = false;

 if( cacheInfo != null )

 {

 isValid = validateCache(cacheInfo, credential, activeSubject);

 if( cacheInfo != null )

 cacheInfo.release();

 }

 if( isValid == false )

 isValid = authenticate(principal, credential, activeSubject);

 if( trace )

 log.trace("End isValid, "+isValid);

 return isValid;

 }

Go to original post