AS7: Utilising masked passwords via the vault


JBoss AS7.1 includes a vault facility to secure attributes (such as passwords). 

You can get more information at



Assume that I want to obtain a datasource in my servlet.  This is a very simple example.


The servlet would look like the following:


package vaulterror.web;


import javax.annotation.Resource;
import javax.annotation.sql.DataSourceDefinition;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;

        name = "java:jboss/datasources/LoginDS",
        user = "sa",
        password = "sa",
        className = "org.h2.jdbcx.JdbcDataSource",
        url = "jdbc:h2:tcp://localhost/mem:test"
        name = "java:jboss/datasources/LoginDS",
        user = "sa",
        password = "VAULT::DS::thePass::OWY5M2I5NzctYzdkOS00MmZhLWExZGYtNjczM2U5ZGUyOWIxTElORV9CUkVBS3ZhdWx0",
        className = "org.h2.jdbcx.JdbcDataSource",
        url = "jdbc:h2:tcp://localhost/mem:test"
@WebServlet(name = "MyTestServlet", urlPatterns = { "/my/" }, loadOnStartup = 1)
public class MyTestServlet  extends HttpServlet {

    private static final long serialVersionUID = 1L;

    @Resource(lookup = "java:jboss/datasources/LoginDS")
    private DataSource ds;

    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        Writer writer = resp.getWriter();
        writer.write((ds != null) + "");


Note that I have commented out one @DataSourceDefinition annotation.  That includes the clear text database password.  In this example, we use the H2 database that is available for use in JBoss AS7.1


The uncommented @DataSourceDefinition  contains the masked password via the vault.


anil@localhost:~/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/bin$ sh util/ 

  JBoss Vault

  JBOSS_HOME: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT

  JAVA: /opt/java/jdk1.6.0_23/bin/java

  VAULT Classpath: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/picketbox/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/logging/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/common-core/main/*:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.Final-SNAPSHOT/modules/org/jboss/as/security/main/*

****  JBoss Vault ********
Please enter a Digit::   0: Start Interactive Session  1: Remove Interactive Session  2: Exit
Starting an interactive session
Enter directory to store encrypted files (end with either / or \ based on Unix or Windows:/home/anil/vault/
Enter Keystore URL:/home/anil/vault/vault.keystore
Enter Keystore password: 
Enter Keystore password again: 
Values match
Enter 8 character salt:12345678
Enter iteration count as a number (Eg: 44):25

Please make note of the following:
Masked Password:MASK-DjeJRxMmsyt
Iteration Count:25

Enter Keystore Alias:vault
Jan 11, 2012 1:02:37 PM get
INFO: Getting Security Vault with implementation of org.picketbox.plugins.vault.PicketBoxSecurityVault
Obtained Vault
Intializing Vault
Jan 11, 2012 1:02:38 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
INFO: Default Security Vault Implementation Initialized and Ready
Vault is initialized and ready for use
Handshake with Vault complete
Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit
Task:  Store a password
Please enter attribute value: 
Please enter attribute value again: 
Values match
Enter Vault Block:DS
Enter Attribute Name:thePass
Attribute Value for (DS, thePass) saved

Please make note of the following:
Vault Block:DS
Attribute Name:thePass
Configuration should be done as follows:

Please enter a Digit::   0: Store a password  1: Check whether password exists  2: Exit


I entered "sa" for the attribute value.

I entered "vault22" for keystore password



My standalone/configuration/standalone.xml contains the following


<?xml version='1.0' encoding='UTF-8'?>

<server name="localhost.sadbhav" xmlns="urn:jboss:domain:1.1" xmlns:xsd="">


      <vault-option name="KEYSTORE_URL" value="${user.home}/vault/vault.keystore"/>
      <vault-option name="KEYSTORE_PASSWORD" value="MASK-3y28rCZlcKR"/>
      <vault-option name="KEYSTORE_ALIAS" value="vault"/>
      <vault-option name="SALT" value="12438567"/>
      <vault-option name="ITERATION_COUNT" value="50"/>
      <vault-option name="ENC_FILE_DIR" value="${user.home}/vault/"/>
    <management> ....


When I go to the web application, http://localhost:8080/vaulterror-web-1.0-SNAPSHOT/my/

I get the value "true".



NOTE:  My maven workspace is attached as Zip.


Masking SSL KeyStore Password in JBoss AS7