AS7: Utilising masked passwords via the vault

    Background:

    JBoss AS7.1 includes a vault facility to secure attributes (such as passwords). 

    You can get more information at https://community.jboss.org/wiki/JBossAS7SecuringPasswords

     

    Example:

    Assume that I want to obtain a datasource in my servlet.  This is a very simple example.

     

    The servlet would look like the following:

     

    package vaulterror.web;
    
    import java.io.IOException;
    import java.io.Writer;
    
    import javax.annotation.Resource;
    import javax.annotation.sql.DataSourceDefinition;
    import javax.servlet.ServletException;
    import javax.servlet.annotation.WebServlet;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import javax.sql.DataSource;
    
    
    /*@DataSourceDefinition(
            name = "java:jboss/datasources/LoginDS",
            user = "sa",
            password = "sa",
            className = "org.h2.jdbcx.JdbcDataSource",
            url = "jdbc:h2:tcp://localhost/mem:test"
    )*/
    @DataSourceDefinition(
            name = "java:jboss/datasources/LoginDS",
            user = "sa",
            password = "VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0",
            className = "org.h2.jdbcx.JdbcDataSource",
            url = "jdbc:h2:tcp://localhost/mem:test"
    )
    @WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" }, loadOnStartup = 1)
    public class MyTestServlet  extends HttpServlet {
    
        private static final long serialVersionUID = 1L;
    
    
        @Resource(lookup = "java:jboss/datasources/LoginDS")
        private DataSource ds;
    
        @Override
        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            Writer writer = resp.getWriter();
            writer.write((ds != null) + "");
        }
    }
    

     

    Note that I have commented out one @DataSourceDefinition annotation.  That includes the clear text database password.  In this example, we use the H2 database that is available for use in JBoss AS7.1

     

    The uncommented @DataSourceDefinition  contains the masked password via the vault.

     

    h
    anil@localhost:~/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/bin$ sh util/vault.sh 
    =========================================================================
    
      JBoss Vault
    
      JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT
    
      JAVA: /opt/java/jdk1.6.0_23/bin/java
    
      VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/security/main/*
    =========================================================================
    
    **********************************
    ****  JBoss Vault ********
    **********************************
    Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
    0
    Starting an interactive session
    Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
    Enter Keystore URL:/home/anil/vault/vault.keystore
    Enter Keystore password: 
    Enter Keystore password again: 
    Values match
    Enter 8 character salt:12345678
    Enter iteration count as a number (Eg: 44):25
    
    Please make note of the following:
    ********************************************
    Masked Password:MASK-DjeJRxMmsyt
    salt:12345678
    Iteration Count:25
    ********************************************
    
    Enter Keystore Alias:vault
    Jan 11, 2012 1:02:37 PM org.jboss.security.vault.SecurityVaultFactory get
    INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
    Obtained Vault
    Intializing Vault
    Jan 11, 2012 1:02:38 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
    INFO: Default Security Vault Implementation Initialized and Ready
    Vault is initialized and ready for use
    Handshake with Vault complete
    Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
    0
    Task:  Store a password
    Please enter attribute value: 
    Please enter attribute value again: 
    Values match
    Enter Vault Block:DS
    Enter Attribute Name:thePass
    Attribute Value for (DS, thePass) saved
    
    Please make note of the following:
    ********************************************
    Vault Block:DS
    Attribute Name:thePass
    Shared Key:OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0
    Configuration should be done as follows:
    VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0
    ********************************************
    
    Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
    2
    anil@localhost:~/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/bin$ 
    

     

    I entered "sa" for the attribute value.

    I entered "vault22" for keystore password

     

     

    My standalone/configuration/standalone.xml contains the following

     

    <?xml version='1.0' encoding='UTF-8'?>
    
    <server name="localhost.sadbhav" xmlns="urn:jboss:domain:1.1" xmlns:xsd="http://www.w3.org/2001/XMLSchema-instance">
    
        <extensions>
           ...
        </extensions>
    
        <vault>
          <vault-option name="KEYSTORE_URL" value="${user.home}/vault/vault.keystore"/>
          <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
          <vault-option name="KEYSTORE_ALIAS" value="vault"/>
          <vault-option name="SALT" value="12438567"/>
          <vault-option name="ITERATION_COUNT" value="50"/>
          <vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
        </vault>
        <management> ....
    

     

    When I go to the web application, http://localhost:8080/vaulterror-web-1.0-SNAPSHOT/my/

    I get the value "true".

     

     

    NOTE:  My maven workspace is attached as Zip.

     

    Masking SSL KeyStore Password in JBoss AS7

    https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb