5 Replies Latest reply on Jul 31, 2008 12:02 AM by Balaji Saranathan

    Using custom security domain to use encrypted password

    Priyanka Maheshwari Newbie

      Hi Everybody,

      My Requirement:
      1. remove the usage of cleartext password from mysql-ds.xml
      2. Use the custom password manager to retrieve the password

      Given Solution by extending the SecureIdentityLoginModule:
      JBoss connector API’s provides SecureIdentityLoginModule to encrypt database passwords rather than using clear text passwords in the datasource configuration. I have extended this class and overridden the commit method, which will call password manager to retrieve the password.

      Problem:
      By going thru the custom login module, JBoss JCA takes ~25 milliseconds to return the connection. And this 25 milliseconds doesn't count the time to call password manager. But if I don't use cleartext password, it takes hardly 1 millisecond.

      I want to understand:
      1. what is done by JCA when login module is used which takes ~25 milliseconds.
      2. Is there any way I can configure JBoss JCA to verify the password only for the 1st time, and for the subsequent calls, it just returns the connection in ~1 milliseconds.

      Thanks in advance,
      Priyanka

        • 1. Re: Using custom security domain to use encrypted password
          Peter Johnson Master

          Did you set min-pool-size in the *-ds.xml file? If not, try setting is to the number of simultaneous connections that you expect to have and see if that reduces the time.

          • 2. Re: Using custom security domain to use encrypted password
            Vicky Kak Master

             

            "priyankalavti" wrote:

            Problem:
            By going thru the custom login module, JBoss JCA takes ~25 milliseconds to return the connection. And this 25 milliseconds doesn't count the time to call password manager. But if I don't use cleartext password, it takes hardly 1 millisecond.


            Give us the evidence , we need log details which will indicate what you claim .

            • 3. Re: Using custom security domain to use encrypted password
              Priyanka Maheshwari Newbie

              here are the logs after enabling trace on the server.

              Please notice the time difference of colored logs.

              2008-07-25 16:40:34,369 INFO [STDOUT] Entering getDbConnection method
              2008-07-25 16:40:34,370 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=id=admin,ou=user,dc=test,dc=com
              2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
              Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
              , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275], activeUsers=0
              2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
              Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
              , this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
              2008-07-25 16:40:34,370 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] getIdentity called, username=testuser
              2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Begin isValid, principal:id=admin,ou=user,dc=test,dc=com, cache info: null
              2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, principal=id=admin,ou=user,dc=test,dc=com
              2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(EncryptDBPassword), size=10

              2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(EncryptDBPassword), authInfo=AppConfigurationEntry[]:
              [0]
              LoginModule Class: com.test.security.jboss.loginmodule.DatabaseSecureLoginModule
              ControlFlag: LoginModuleControlFlag: required
              Options:name=managedConnectionFactoryName, value=jboss.jca:name=testjndi,service=LocalTxCM
              name=password, value=TESTUSER_KEY
              name=username, value=testuser

              2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.AbstractPasswordCredentialLoginModule1] mcfname: jboss.jca:name=testjndi,service=LocalTxCM
              2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] login called
              2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, lc=javax.security.auth.login.LoginContext@1d71519, subject=Subject(27927662).principals=
              2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] updateCache, inputSubject=Subject(27927662).principals=, cacheSubject=Subject(20835342).principals=
              2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@54b8e7[Subject(20835342).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
              2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] End isValid, true
              2008-07-25 16:40:34,399 INFO [STDOUT] time taken in getDbConnection in millis...30

              Regards,
              Priyanka

              • 4. Re: Using custom security domain to use encrypted password
                Priyanka Maheshwari Newbie

                I am using MySQL database.

                The mysql-ds.xml looks like:

                <local-tx-datasource>
                 <jndi-name>testjndi</jndi-name>
                 <connection-url>jdbc:mysql://localhost:3306/</connection-url>
                 <security-domain>EncryptDBPassword</security-domain>
                 <driver-class>org.gjt.mm.mysql.Driver</driver-class>
                 <!--pooling parameters-->
                 <min-pool-size>5</min-pool-size>
                 <max-pool-size>100</max-pool-size>
                 <blocking-timeout-millis>5000</blocking-timeout-millis>
                 <idle-timeout-minutes>15</idle-timeout-minutes>
                 </local-tx-datasource>

                The application policy entry of login-config.xml looks like:
                <application-policy name="EncryptDBPassword">
                 <authentication>
                 <login-module code="com.test.security.jboss.loginmodule.DatabaseSecureLoginModule" flag="required">
                 <module-option name="username">testuser</module-option>
                 <module-option name="password">TESTUSER_KEY</module-option>
                 <module-option name="managedConnectionFactoryName">jboss.jca:name=testjndi,service=LocalTxCM</module-option>
                 </login-module>
                 </authentication>
                 </application-policy>


                Regards,
                Priyanka




                • 5. Re: Using custom security domain to use encrypted password
                  Balaji Saranathan Newbie

                  Hi,

                  This issue has been fixed (atleast for us) using the Caching policies. WE had a DefaultCacheTimeOut of "0" which meant the authenticate() was called everytime in the following piece of code. of the authentication.
                  The latency that was a problem for us in our design was the authenticate() that created DefaultLoginConfig using reflection. A few milliseconds extra but on a real time server , it was a major impact for us.

                  Thanks
                  Bala

                  Code snippet from the Jboss source code (JaasSecurityManager)
                  
                  public boolean isValid(Principal principal, Object credential,
                  
                   Subject activeSubject)
                  
                   {
                  
                   // Check the cache first
                  
                   DomainInfo cacheInfo = getCacheInfo(principal, true);
                  
                   if( trace )
                  
                   log.trace("Begin isValid, principal:"+principal+", cache info: "+cacheInfo);
                  
                  
                  
                   boolean isValid = false;
                  
                   if( cacheInfo != null )
                  
                   {
                  
                   isValid = validateCache(cacheInfo, credential, activeSubject);
                  
                   if( cacheInfo != null )
                  
                   cacheInfo.release();
                  
                   }
                  
                   if( isValid == false )
                  
                   isValid = authenticate(principal, credential, activeSubject);
                  
                   if( trace )
                  
                   log.trace("End isValid, "+isValid);
                  
                   return isValid;
                  
                   }