-
1. Re: Is 7.0.0.Final (Everything) ready and stable for production?
mechevar Jul 31, 2011 6:16 PM (in response to java-lover)I too am trying out JBoss 7 for a production environment and ran into a deal breaker. Unless I find a fix in the forums, I am waiting until 7.1. The <security-domain> is having trouble masking a password using SecureIdentityLoginModule. Having the password to the backend datasource in plain text is no go at this point.
-
2. Re: Is 7.0.0.Final (Everything) ready and stable for production?
nickarls Aug 1, 2011 2:31 AM (in response to mechevar)Have you filed a JIRA so the issues doesn't get lost?
-
3. Re: Is 7.0.0.Final (Everything) ready and stable for production?
mechevar Aug 1, 2011 9:57 AM (in response to nickarls)I added the related JIRA issue thats already been filed. Looks like there is going to be a 7.0.1 release. Hopefully the encryption bug is fixed.
-
4. Re: Is 7.0.0.Final (Everything) ready and stable for production?
jason.greene Aug 1, 2011 2:21 PM (in response to java-lover)Having the ability to "mask" passwords in configuration is on the 7.1 schedule. However, I just want to add that have seen very few people use this feature in a way that has better security than not masking your passwords. If you do not require human interaction on boot (typing in a password, providing a removable key device etc), then these passwords are trivially reversible. You can also have tighter file perms on the keystore, but you can accomplish the same thing by using good file perms on standalone/domain.xml.
-
5. Re: Is 7.0.0.Final (Everything) ready and stable for production?
mechevar Aug 1, 2011 2:46 PM (in response to jason.greene)I agree. Server security is more important than a masked password. If a bad actor has access to a server, the damage is done, no simple password mask can help that. Unfortunately, I have a black and white business rule that passwords cannot be stored in plain text.
-
6. Re: Is 7.0.0.Final (Everything) ready and stable for production?
jason.greene Aug 1, 2011 2:58 PM (in response to mechevar)Michael Echevarria wrote:
I agree. Server security is more important than a masked password. If a bad actor has access to a server, the damage is done, no simple password mask can help that. Unfortunately, I have a black and white business rule that passwords cannot be stored in plain text.
OK I can sympathize with you then. BTW one of our security devs tells me the SecurityIdentityLoginModule has a fix to be merged shortly. I was speaking to the more general problem of masking all passwords (not just DS)
-
7. Re: Is 7.0.0.Final (Everything) ready and stable for production?
mmoyses Aug 1, 2011 3:01 PM (in response to mechevar)FYI https://issues.jboss.org/browse/AS7-1072 is the issue if you want to watch it to see when it gets merged upstream.