[英]How to add a datasource with encrypted password in WildFly Swarm with .war packaging?
I am using the below configuration to add data source to my WAR in a WildFly swarm:我正在使用以下配置将数据源添加到 WildFly 群中的 WAR 中:
swarm:
datasources:
data-sources:
MyDS:
driver-name: oracle
connection-url: <my-connection-string>
user-name: <my-user-name>
password: <my-password-in-clear-text>
How can this be changed so that the password is encrypted and not in clear text?如何更改,以便密码加密而不是明文?
Here is my working example for Oracle12 with SecureIdentityLoginModule:这是我使用 SecureIdentityLoginModule 的 Oracle12 工作示例:
swarm:
datasources:
data-sources:
<your-datasoure-name>:
driver-name: oracle
connection-url: jdbc:oracle:thin:@<your-oracle-ip>:<your-oracle-port>:<your-oracle-sid>
security-domain: myEncryptedDs
security:
security-domains:
myEncryptedDs:
classic-authentication:
login-modules:
myLoginModule:
code: org.picketbox.datasource.security.SecureIdentityLoginModule
flag: required
module-options:
username: <your-oracle-username>
password: <your-encrypted-oracle-password>
With the following command you can encrypt your password (the two jar-libraries can be found in your created wildfly-swarm-war-File):使用以下命令,您可以加密您的密码(可以在您创建的 wildfly-swarm-war-File 中找到两个 jar-libraries):
java -cp <your-path-to-wildfly-jars>\picketbox-4.9.6.Final.jar;<your-path-to-wildfly-jars>\logging-2017.11.0.jar:$CLASSPATH org.picketbox.datasource.security.SecureIdentityLoginModule <your-password>
You need to implements org.wildfly.swarm.spi.api.ConfigurationFilter
.您需要实现
org.wildfly.swarm.spi.api.ConfigurationFilter
。 Your class will be called for each property of your file.将为您的文件的每个属性调用您的类。 You can change the value at the same time.
您可以同时更改该值。 Here an example how to decrypt your value.
这是一个如何解密您的值的示例。 You must provide a key (jvm startup) to decrypt your value.
您必须提供一个密钥(jvm 启动)来解密您的值。
public class DecryptPropertyFilter implements ConfigurationFilter {
private EncryptionHelper encryptionHelper;
{
try {
encryptionHelper = new EncryptionHelper(System.getProperty("encryption.key"));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
@Override
@SuppressWarnings("unchecked")
public <T> T filter(String key, T value) {
if (value instanceof String) {
String str = value.toString();
if (str.startsWith("ENC(") && str.endsWith(")")) {
try {
value = (T) encryptionHelper.decrypt(str.substring(4, str.length() - 1));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
return value;
}
}
For thorntail.为刺尾。
thorntail:
datasources:
data-sources:
myDS:
use-java-context: true
statistics-enabled: true
driver-name: mysql
connection-url: ${db.url}
security-domain: mydbSecure
jndi-name: java:/myDS
check-valid-connection-sql: select 1
valid-connection-checker-class-name: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker
validate-on-match: false
background-validation: true
background-validation-millis: 10000
use-fast-fail: true
min-pool-size: 5
max-pool-size: 10
prefill: true
flush-strategy: FailingConnectionOnly
exception-sorter-class-name: org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter
security:
security-domains:
mydbSecure:
classic-authentication:
login-modules:
default:
module-options:
username: ${ds.uname}
password: ${ds.pass}
flag: required
code: org.picketbox.datasource.security.SecureIdentityLoginModule
cache-type: default
This is how you would encode the password这是您对密码进行编码的方式
public class EncodePassword {
public static void main(String[] args) throws Exception
{
String password = "password";
String encode = encode(password);
System.out.println("Encoded password: "+encode);
}
private static String encode(String secret) throws NoSuchPaddingException, NoSuchAlgorithmException,
InvalidKeyException, BadPaddingException, IllegalBlockSizeException
{
byte[] kbytes = "jaas is the way".getBytes();
SecretKeySpec key = new SecretKeySpec(kbytes, "Blowfish");
Cipher cipher = Cipher.getInstance("Blowfish");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] encoding = cipher.doFinal(secret.getBytes());
BigInteger n = new BigInteger(encoding);
return n.toString(16);
}
}
The below is how you would decode the password.以下是您将如何解码密码。
public class DecodePassword {
public static void main(String[] args) throws Exception {
String value = "5dfc52b51bd35553df8592078de921bc";
try {
System.out.println(decode(value));
} catch (Exception io) {
io.printStackTrace();
}
}
public static char[] decode(String secret)
throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
byte[] kbytes = "jaas is the way".getBytes();
SecretKeySpec key = new SecretKeySpec(kbytes, "Blowfish");
BigInteger n = new BigInteger(secret, 16);
byte[] encoding = n.toByteArray();
//SECURITY-344: fix leading zeros
if (encoding.length % 8 != 0) {
int length = encoding.length;
int newLength = ((length / 8) + 1) * 8;
int pad = newLength - length; //number of leading zeros
byte[] old = encoding;
encoding = new byte[newLength];
for (int i = old.length - 1; i >= 0; i--) {
encoding[i + pad] = old[i];
}
//SECURITY-563: handle negative numbers
if (n.signum() == -1) {
for (int i = 0; i < newLength - length; i++) {
encoding[i] = (byte) -1;
}
}
}
Cipher cipher = Cipher.getInstance("Blowfish");
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] decode = cipher.doFinal(encoding);
return new String(decode).toCharArray();
}
}
for more information regarding picketBox.有关 PicketBox 的更多信息。
https://source.jboss.org/browse/PicketBox/trunk/security-jboss-sx/jbosssx/src/main/java/org/picketbox/datasource/security/SecureIdentityLoginModule.java?r=276 https://source.jboss.org/browse/PicketBox/trunk/security-jboss-sx/jbosssx/src/main/java/org/picketbox/datasource/security/SecureIdentityLoginModule.java?r=276
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.