Obfuscated passwords for JDBC data sources?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Obfuscated passwords for JDBC data sources?

Wendy Smoak-3
I'm trying to use an obfuscated password for a JDBC data source with
Jetty 6.1.6.

[1] says it should work for 'jdbc driver passwords' and [2] mentions
it in the context of a mail session.

So, should this (based on [3]) work in jetty.xml?

 <New id="continuum" class="org.mortbay.jetty.plus.naming.Resource">
   <Arg>jdbc/continuum</Arg>
   <Arg>
     <New class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource">
       <Set name="Url">jdbc:mysql://localhost:3306/continuumdata</Set>
       <Set name="user">continuumuser</Set>
       <!-- Set name="password">p4ssw0rd</Set -->
       <Set name="password">OBF:1v2j1lxd1lfm1zej1zer1lbw1m0t1v1v</Set>
     </New>
   </Arg>
 </New>

If I switch back to the plain text password, the app works fine.   I
looked in JIRA and the list archives but didn't see anything relevant.
 Am I missing something?

[1] http://docs.codehaus.org/display/JETTY/Securing+Passwords
[2] http://docs.codehaus.org/display/JETTY/JNDI
[3] http://docs.codehaus.org/display/JETTY/DataSource+Examples -> MySQL

Thanks,
--
Wendy

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Obfuscated passwords for JDBC data sources?

Tatu Saloranta
--- On Sat, 6/7/08, Wendy Smoak <[hidden email]> wrote:
...

> [1] says it should work for 'jdbc driver passwords'
> and [2] mentions
> it in the context of a mail session.
>
> So, should this (based on [3]) work in jetty.xml?
>
>  <New id="continuum"
> class="org.mortbay.jetty.plus.naming.Resource">
>    <Arg>jdbc/continuum</Arg>
>    <Arg>
>      <New
> class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource">
>        <Set
> name="Url">jdbc:mysql://localhost:3306/continuumdata</Set>
>        <Set
> name="user">continuumuser</Set>
>        <!-- Set
> name="password">p4ssw0rd</Set -->
>        <Set
> name="password">OBF:1v2j1lxd1lfm1zej1zer1lbw1m0t1v1v</Set>
>      </New>
>    </Arg>
>  </New>

Set, New etc operations from jetty.xml just translate to calls without knowing semantics of classes and methods being called, so password will be passed as is.
So unless MySQL JDBC driver recognizes obfuscated passwords, no, I would not expect this work. As far as I know this way of obfuscating password is Jetty-specific feature, so I would not expect this to work as is.

This is different from configuring SSL key stores, since objects being configured (ssl socket listener etc) are Jetty-provided and thus understand concept of obfuscated passwords.

I would love to be proven wrong here though, since it's good to be able to at least obfuscate passwords if not really secure them.

-+ Tatu +-




     

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Obfuscated passwords for JDBC data sources?

Wendy Smoak-3
On Sat, Jun 7, 2008 at 4:13 PM, Tatu Saloranta <[hidden email]> wrote:

> Set, New etc operations from jetty.xml just translate to calls without knowing semantics of classes and methods being called, so password will be passed as is.
> So unless MySQL JDBC driver recognizes obfuscated passwords, no, I would not expect this work. As far as I know this way of obfuscating password is Jetty-specific feature, so I would not expect this to work as is.

That makes sense.  Any idea what the Securing Passwords page [1] means
then?  It specifically mentions jdbc driver passwords.

We've recently switched the Continuum distribution from a Plexus
Appserver bundle to a 'plain' Jetty bundle.  Before, the plexus.xml
config file had the JDBC _Driver_ class.  I haven't seen any jetty.xml
examples that use a Driver, only a DataSource.

Is there possibly a different way to configure the JNDI resource, that
uses a Driver, and that allows obfuscated passwords?

> I would love to be proven wrong here though, since it's good to be able to at least obfuscate passwords if not really secure them.

Yep.  This is being prompted by a client whose corporate policies
prohibit plain text passwords.

[1] http://docs.codehaus.org/display/JETTY/Securing+Passwords

Thanks,
--
Wendy

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: Obfuscated passwords for JDBC data sources?

Jan Bartel
Hi Wendy,

Wendy Smoak wrote:
> On Sat, Jun 7, 2008 at 4:13 PM, Tatu Saloranta <[hidden email]> wrote:
>
>> Set, New etc operations from jetty.xml just translate to calls without knowing semantics of classes and methods being called, so password will be passed as is.
>> So unless MySQL JDBC driver recognizes obfuscated passwords, no, I would not expect this work. As far as I know this way of obfuscating password is Jetty-specific feature, so I would not expect this to work as is.
>
> That makes sense.  Any idea what the Securing Passwords page [1] means
> then?  It specifically mentions jdbc driver passwords.

Tatu is correct - the recipient of the obfuscated password must be a class that is
written to expect this, and 3rd party libs are generally not. I've taken the phrase
about "jdbc drivers" out of the page about passwords as I agree that it is confusing
matters.

> We've recently switched the Continuum distribution from a Plexus
> Appserver bundle to a 'plain' Jetty bundle.  Before, the plexus.xml
> config file had the JDBC _Driver_ class.  I haven't seen any jetty.xml
> examples that use a Driver, only a DataSource.

Configuring database access for JNDI lookups is usually done by with a Datasource,
which may itself use Driver information. There's lots of examples on this page: http://docs.codehaus.org/display/JETTY/DataSource+Examples

However, these are all 3rd party database libs and none of them are written
to expect a jetty obfuscated password.
 
> Is there possibly a different way to configure the JNDI resource, that
> uses a Driver, and that allows obfuscated passwords?
>
>> I would love to be proven wrong here though, since it's good to be able to at least obfuscate passwords if not really secure them.
>
> Yep.  This is being prompted by a client whose corporate policies
> prohibit plain text passwords.

Well, if this is on a commercial timescale, then one thing to do would
be to contact Webtide ([hidden email]) and ask us about sponsoring
some work to do this kind of thing :-)

cheers
Jan

>
> [1] http://docs.codehaus.org/display/JETTY/Securing+Passwords
>
> Thanks,


--
Jan Bartel, Webtide LLC | [hidden email] | http://www.webtide.com

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email