I’m trying to encrypt my database password using a JBOSS security domain.
The datasource is defined in oracle-ds.xml as follows:
<datasources>
<local-tx-datasource>
<jndi-name>OracleDS</jndi-name>
<connection-url>jdbc:oracle:thin:@dbhost:1521:db</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<!-- app works fine when you use unencrypted password like this
<user-name>username</user-name>
<password>unencrypted_pass</password>
-->
<!-- Use the security domain defined in conf/login-config.xml for username and encrypted password-->
<security-domain>Encrypt-my-Password</security-domain>
....etc
The login-config.xml file contains this entry:
<application-policy name="Encrypt-my-Password">
<authentication>
<login-module
code="com.mycompany.global.er.util.ErSecureIdentityLoginModule"
flag="required">
<module-option name="username">databaseUsername</module-option>
<module-option name="password">232487h4873hf4</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDS</module-option>
</login-module>
</authentication>
</application-policy>
NB the ErSecureIdentityLoginModule is a class already used to encrypt / decrypt DB passwords in another application, where it works fine.
As soon as I started using this config the application throws an exception as follows when you try to access the datasource:
java.lang.SecurityException: Unauthenticated caller:null
org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)
org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:92)
org.hibernate.cfg.SettingsFactory.buildSettings(SettingsFactory.java:111)
org.hibernate.cfg.Configuration.buildSettings(Configuration.java:2101)
org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1325)
org.hibernate.cfg.AnnotationConfiguration.buildSessionFactory(AnnotationConfiguration.java:867)
org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:669)
org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:52)
javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:34)
com.mycompany.er.batch.data.DbHelper.createEntityManager(DbHelper.java:30)
com.mycompany.er.batch.data.DbHelper.createAndBegin(DbHelper.java:49)
com.mycompany.er.basman.HibernateTransactionFilter.doFilter(HibernateTransactionFilter.java:53)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
I downloaded the source code for jboss 5.0.1GA and debugged with TRACE enabled. There is an interesting stack trace produced:
2012-03-12 18-13-40:Login failure
javax.security.auth.login.LoginException: java.lang.NullPointerException
at org.jboss.resource.security.SubjectActions$AddPrincipalsAction.run(SubjectActions.java:101)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.resource.security.SubjectActions.addPrincipals(SubjectActions.java:139)
at org.jboss.resource.security.ConfiguredIdentityLoginModule.login(ConfiguredIdentityLoginModule.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:9
0)
The NullPointerException refers to this line of code in org.jboss.resource.security.SubjectActions:
static class AddPrincipalsAction implements PrivilegedAction
{
Subject subject;
Principal p;
AddPrincipalsAction(Subject subject, Principal p)
{
this.subject = subject;
this.p = p;
}
public Object run()
{
subject.getPrincipals().add(p);
return null;
}
}
However this doesn’t help much, and I can’t understand what I’m doing wrong.
Help!
I have since got this working. I had to remove a shedload of optional jboss components but it’s not 100% clear how I fixed it exactly. One possibility is that the password encryption was not correct – ie I was using the wrong library to encrypt it, so it wasn’t being decrypted correctly.