Hi,

you can just use vault expression in place of secret value.

some thing along this lines:

<secret value="${VAULT::keystore_pass::password::NmZiYmRmOGQtMTYzZS00MjE3LTllODMtZjI4OGM2NGJmODM4TElORV9CUkVBS3ZhdWx0}" />

for more info:

https://community.jboss.org/wiki/JBossAS7SecuringPasswords

https://community.jboss.org/wiki/AS7UtilisingMaskedPasswordsViaTheVault

--

tomaz

It is the server side of the configuration that decides if the password will be transmitted using Digest or Plain - in general our default preference is to always use Digest authentication but we fall back to Plain when the server side of the configuration does not supply the information needed for Digest.

Server side in order to use Digest we need to be able to access either the plain text password for the user or we need to access a pre prepared hash of their username and password with the realm - for configurations that can't supply either of these we then fall back to the Plain mechanism.  In practice this means that we use Digest when the properties file is used but fall back to Plain when either Ldap or Jaas are used for the verification.

This week I am starting work on the following task to make it possible to plug in different stores so we don't need to rely on the JAAS integration that makes us fall back to Plain: -

  https://issues.jboss.org/browse/AS7-4194

There are a couple of slightly higher priority tasks I need to look at sooner but will also review for LDAP based authentication how we can implement a pass through digest mechanism against LDAP to again eliminate the plain text passwords: -

  https://issues.jboss.org/browse/AS7-4195