You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openjpa.apache.org by wang yu <wa...@gmail.com> on 2009/05/12 11:31:34 UTC
How to encrypt DB password in persistence.xml
As title.
Regards,
Yu Wang
Re: How to encrypt DB password in persistence.xml
Posted by Kevin Sutter <kw...@gmail.com>.
Thanks for the insights, Donald. And, thanks for posting this info to the
JIRA Issue (openjpa-1089) as well.
Kevin
On Fri, May 15, 2009 at 10:25 AM, Donald Woods <dw...@apache.org> wrote:
> We have a similar feature in Apache Geronimo for our config.xml and
> deployment plans. The only downside of adding this to OpenJPA, is we would
> then have to follow the ASF Cryptography release guidelines at -
> http://www.apache.org/dev/crypto.html
> since we would be using encryption/decryption (even if provided by the
> JVM). Not a biggie, but adds a few steps to the release process...
>
>
> -Donald
>
>
>
> Kevin Sutter wrote:
>
>> Hi Yu Wang,
>> Or, you could develop an answer for OpenJPA and contribute it back to the
>> project... :-) Providing an encryption capability for persistence.xml
>> password values would be a nice feature. But, this would probably only
>> apply to our openjpa.* properties...
>>
>> In your particular case where you are passing in all of the parameters to
>> dbcp, I don't see how OpenJPA could help in this case. The URL is just
>> passed through to dbcp, so any decryption of a password field would need
>> to
>> be provided by dbcp.
>>
>> I did a quick search on this topic and found a few hits related to
>> encrypting passwords used for dbcp. One link [1] indicated that using
>> Tomcat 6.0 makes this a bit easier, but there were other instructions on
>> extending the BasicDataSource. This link was specific to Tomcat's
>> server.xml, but the idea could probably be extended to the
>> persistence.xml.
>>
>> Let us know what you come up with.
>>
>> Thanks,
>> Kevin
>>
>> [1]
>>
>> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
>>
>>
>>
>> On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
>>
>> Hi Kevin,
>>> Thank you. You had real good solutions but unfortunately neither of
>>> them is feasible for our project.
>>> We use Apache dbcp datasource to leverage DB connection pool and
>>> tomcat 5.5 as app server.
>>> Following is a fragment of our persistence.xml:
>>> <property name="openjpa.ConnectionDriverName"
>>> value="org.apache.commons.dbcp.BasicDataSource" />
>>>
>>> <property name="openjpa.ConnectionProperties"
>>>
>>> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
>>> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
>>> password=app, maxActive=30, maxWait=10000,
>>> poolPreparedStatements=true" />
>>>
>>> How to encrypt password under this situation? Or should I adopt
>>> alternative connection pool implementation to make password encryption
>>> easier?
>>>
>>> if no better solution, I guess I only have two choices
>>> 1. Give up apache dbcp.
>>> 2. Modify source code of apache dbcp.
>>>
>>> Regards,
>>> Yu Wang
>>>
>>>
>>>
>>>
>>> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>> JPA does not define this functionality. You could pass in the password
>>>>
>>> via
>>>
>>>> the application instead of hard-coding it in a persistence.xml. Or, if
>>>>
>>> you
>>>
>>>> are in an app server environment, you should use a jndi lookup of a
>>>> datasource. This would be the most secure.
>>>>
>>>> Kevin
>>>>
>>>> On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
>>>>
>>>> As title.
>>>>>
>>>>> Regards,
>>>>> Yu Wang
>>>>>
>>>>>
>>
Re: How to encrypt DB password in persistence.xml
Posted by Donald Woods <dw...@apache.org>.
We have a similar feature in Apache Geronimo for our config.xml and
deployment plans. The only downside of adding this to OpenJPA, is we
would then have to follow the ASF Cryptography release guidelines at -
http://www.apache.org/dev/crypto.html
since we would be using encryption/decryption (even if provided by the
JVM). Not a biggie, but adds a few steps to the release process...
-Donald
Kevin Sutter wrote:
> Hi Yu Wang,
> Or, you could develop an answer for OpenJPA and contribute it back to the
> project... :-) Providing an encryption capability for persistence.xml
> password values would be a nice feature. But, this would probably only
> apply to our openjpa.* properties...
>
> In your particular case where you are passing in all of the parameters to
> dbcp, I don't see how OpenJPA could help in this case. The URL is just
> passed through to dbcp, so any decryption of a password field would need to
> be provided by dbcp.
>
> I did a quick search on this topic and found a few hits related to
> encrypting passwords used for dbcp. One link [1] indicated that using
> Tomcat 6.0 makes this a bit easier, but there were other instructions on
> extending the BasicDataSource. This link was specific to Tomcat's
> server.xml, but the idea could probably be extended to the persistence.xml.
>
> Let us know what you come up with.
>
> Thanks,
> Kevin
>
> [1]
> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
>
>
>
> On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
>
>> Hi Kevin,
>> Thank you. You had real good solutions but unfortunately neither of
>> them is feasible for our project.
>> We use Apache dbcp datasource to leverage DB connection pool and
>> tomcat 5.5 as app server.
>> Following is a fragment of our persistence.xml:
>> <property name="openjpa.ConnectionDriverName"
>> value="org.apache.commons.dbcp.BasicDataSource" />
>>
>> <property name="openjpa.ConnectionProperties"
>>
>> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
>> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
>> password=app, maxActive=30, maxWait=10000,
>> poolPreparedStatements=true" />
>>
>> How to encrypt password under this situation? Or should I adopt
>> alternative connection pool implementation to make password encryption
>> easier?
>>
>> if no better solution, I guess I only have two choices
>> 1. Give up apache dbcp.
>> 2. Modify source code of apache dbcp.
>>
>> Regards,
>> Yu Wang
>>
>>
>>
>>
>> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com> wrote:
>>> Hi,
>>> JPA does not define this functionality. You could pass in the password
>> via
>>> the application instead of hard-coding it in a persistence.xml. Or, if
>> you
>>> are in an app server environment, you should use a jndi lookup of a
>>> datasource. This would be the most secure.
>>>
>>> Kevin
>>>
>>> On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
>>>
>>>> As title.
>>>>
>>>> Regards,
>>>> Yu Wang
>>>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Kevin Sutter <kw...@gmail.com>.
Hi,
Yes, we do have plans to GA OpenJPA 2.0 before the end of the year, but it
all depends on external factors which we have little control over. We need
a finalized spec from the JCP -- current target date of Nov 16, 2009. And,
we need a TCK (test suite) delivered at approximately the same timeframe.
Then, we need to work through that TCK so that we can claim compliance.
Overall, our OpenJPA 2.0 development and testing has been going quite well,
so we're hoping for the same when using the TCK...
Kevin
On Tue, Sep 1, 2009 at 4:58 AM, wang yu <wa...@gmail.com> wrote:
> Hello, Mike,
> Do we have a target day for OpenJPA 2.0 GA?
> From http://openjpa.apache.org/jpa-20-roadmap.html , may I assume it
> will be released before the end of the year?
>
> Both password Encryption and get cache from factory in JPA spec are
> very useful for me.
> I use Spring to manager the life circle of manager factory, it's
> difficult to cast factory into OpenJPAEntityManagerFactory directly.
>
> Regards,
> Yu Wang
>
>
> On Fri, Aug 14, 2009 at 11:27 AM, Michael Dick<mi...@gmail.com>
> wrote:
> > Hi,
> > OpenJPA doesn't know (or care) how much of the password is encrypted -
> that
> > determination is up to the encryption provider (ie your code). So if the
> > encryption provider can figure out which parts of the string need to be
> > decrypted and which parts do not then you should be set.
> >
> > I just reopened the issue to port it to version 1.3.0 so this feature
> will
> > be available in the next major (2.0.0) and minor (1.3.0) versions of
> > OpenJPA.
> >
> > In the mean time you can grab a nightly build from the builds
> > page<http://openjpa.apache.org/downloads.html> (look
> > for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this
> weekend
> > too.
> >
> > -mike
> >
> >
> >
> > On Thu, Aug 13, 2009 at 8:58 PM, wang yu <wa...@gmail.com> wrote:
> >
> >> Mike,
> >> Thanks a lot!
> >> Since I used DBCP datasource as following:
> >> <property name="openjpa.ConnectionProperties"
> >>
> >> value="driverClassName=oracle.jdbc.driver.OracleDriver,
> >> url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX,
> >> maxActive=8, maxWait=10000, poolPreparedStatements=true" />
> >>
> >>
> >> May I encrypt a sub string of property value rather than full
> >> property value string?
> >>
> >> Anyway, when will this feature be available? In a new release or a
> >> rolling patch?
> >>
> >> Regards,
> >> Yu Wang
> >>
> >>
> >> On Fri, Aug 7, 2009 at 9:33 PM, Michael Dick<mi...@gmail.com>
> >> wrote:
> >> > Hi Yu,
> >> >
> >> > At the moment our support allows you to specify an 'Encryption
> Provider'
> >> > which handles the encryption / decryption of a password. We aren't
> >> providing
> >> > a tool to do the actual encryption - just a plugin point for other
> tools.
> >> >
> >> > It sounds like you have written the encryption code in your extension
> for
> >> > DBCP so it should be fairly easy to wrap in an encryption provider.
> >> >
> >> > Hope this helps,
> >> > -mike
> >> >
> >> > On Fri, Aug 7, 2009 at 1:25 AM, wang yu <wa...@gmail.com> wrote:
> >> >
> >> >> Rick,
> >> >> Thank you for your information. I have resolved this issue by
> >> >> modifying dbcp source code.
> >> >> The bad part is dbcp can be built with jdk 1.4 only which made build
> >> >> system little bit complicated:-)
> >> >>
> >> >> If you can deliver encryption feature in next release, I'll be very
> >> >> pleased to use it.
> >> >>
> >> >> Regards,
> >> >> Yu Wang
> >> >>
> >> >>
> >> >> On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com>
> wrote:
> >> >> >
> >> >> > Yu Wang -
> >> >> >
> >> >> > OPENJPA-1089[1] wasn't your exact problem, but I want you to be
> aware
> >> >> that a
> >> >> > change was made.
> >> >> >
> >> >> > Thanks -
> >> >> > Rick
> >> >> >
> >> >> > [1] https://issues.apache.org/jira/browse/OPENJPA-1089
> >> >> > --
> >> >> > View this message in context:
> >> >>
> >>
> http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
> >> >> > Sent from the OpenJPA Users mailing list archive at Nabble.com.
> >> >> >
> >> >>
> >> >
> >>
> >
>
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Hello, Mike,
Do we have a target day for OpenJPA 2.0 GA?
>From http://openjpa.apache.org/jpa-20-roadmap.html , may I assume it
will be released before the end of the year?
Both password Encryption and get cache from factory in JPA spec are
very useful for me.
I use Spring to manager the life circle of manager factory, it's
difficult to cast factory into OpenJPAEntityManagerFactory directly.
Regards,
Yu Wang
On Fri, Aug 14, 2009 at 11:27 AM, Michael Dick<mi...@gmail.com> wrote:
> Hi,
> OpenJPA doesn't know (or care) how much of the password is encrypted - that
> determination is up to the encryption provider (ie your code). So if the
> encryption provider can figure out which parts of the string need to be
> decrypted and which parts do not then you should be set.
>
> I just reopened the issue to port it to version 1.3.0 so this feature will
> be available in the next major (2.0.0) and minor (1.3.0) versions of
> OpenJPA.
>
> In the mean time you can grab a nightly build from the builds
> page<http://openjpa.apache.org/downloads.html> (look
> for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this weekend
> too.
>
> -mike
>
>
>
> On Thu, Aug 13, 2009 at 8:58 PM, wang yu <wa...@gmail.com> wrote:
>
>> Mike,
>> Thanks a lot!
>> Since I used DBCP datasource as following:
>> <property name="openjpa.ConnectionProperties"
>>
>> value="driverClassName=oracle.jdbc.driver.OracleDriver,
>> url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX,
>> maxActive=8, maxWait=10000, poolPreparedStatements=true" />
>>
>>
>> May I encrypt a sub string of property value rather than full
>> property value string?
>>
>> Anyway, when will this feature be available? In a new release or a
>> rolling patch?
>>
>> Regards,
>> Yu Wang
>>
>>
>> On Fri, Aug 7, 2009 at 9:33 PM, Michael Dick<mi...@gmail.com>
>> wrote:
>> > Hi Yu,
>> >
>> > At the moment our support allows you to specify an 'Encryption Provider'
>> > which handles the encryption / decryption of a password. We aren't
>> providing
>> > a tool to do the actual encryption - just a plugin point for other tools.
>> >
>> > It sounds like you have written the encryption code in your extension for
>> > DBCP so it should be fairly easy to wrap in an encryption provider.
>> >
>> > Hope this helps,
>> > -mike
>> >
>> > On Fri, Aug 7, 2009 at 1:25 AM, wang yu <wa...@gmail.com> wrote:
>> >
>> >> Rick,
>> >> Thank you for your information. I have resolved this issue by
>> >> modifying dbcp source code.
>> >> The bad part is dbcp can be built with jdk 1.4 only which made build
>> >> system little bit complicated:-)
>> >>
>> >> If you can deliver encryption feature in next release, I'll be very
>> >> pleased to use it.
>> >>
>> >> Regards,
>> >> Yu Wang
>> >>
>> >>
>> >> On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com> wrote:
>> >> >
>> >> > Yu Wang -
>> >> >
>> >> > OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware
>> >> that a
>> >> > change was made.
>> >> >
>> >> > Thanks -
>> >> > Rick
>> >> >
>> >> > [1] https://issues.apache.org/jira/browse/OPENJPA-1089
>> >> > --
>> >> > View this message in context:
>> >>
>> http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
>> >> > Sent from the OpenJPA Users mailing list archive at Nabble.com.
>> >> >
>> >>
>> >
>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Michael Dick <mi...@gmail.com>.
Hi,
OpenJPA doesn't know (or care) how much of the password is encrypted - that
determination is up to the encryption provider (ie your code). So if the
encryption provider can figure out which parts of the string need to be
decrypted and which parts do not then you should be set.
I just reopened the issue to port it to version 1.3.0 so this feature will
be available in the next major (2.0.0) and minor (1.3.0) versions of
OpenJPA.
In the mean time you can grab a nightly build from the builds
page<http://openjpa.apache.org/downloads.html> (look
for 2.0.0-SNAPSHOT). I'll try to get the fix ported to 1.3.0 this weekend
too.
-mike
On Thu, Aug 13, 2009 at 8:58 PM, wang yu <wa...@gmail.com> wrote:
> Mike,
> Thanks a lot!
> Since I used DBCP datasource as following:
> <property name="openjpa.ConnectionProperties"
>
> value="driverClassName=oracle.jdbc.driver.OracleDriver,
> url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX,
> maxActive=8, maxWait=10000, poolPreparedStatements=true" />
>
>
> May I encrypt a sub string of property value rather than full
> property value string?
>
> Anyway, when will this feature be available? In a new release or a
> rolling patch?
>
> Regards,
> Yu Wang
>
>
> On Fri, Aug 7, 2009 at 9:33 PM, Michael Dick<mi...@gmail.com>
> wrote:
> > Hi Yu,
> >
> > At the moment our support allows you to specify an 'Encryption Provider'
> > which handles the encryption / decryption of a password. We aren't
> providing
> > a tool to do the actual encryption - just a plugin point for other tools.
> >
> > It sounds like you have written the encryption code in your extension for
> > DBCP so it should be fairly easy to wrap in an encryption provider.
> >
> > Hope this helps,
> > -mike
> >
> > On Fri, Aug 7, 2009 at 1:25 AM, wang yu <wa...@gmail.com> wrote:
> >
> >> Rick,
> >> Thank you for your information. I have resolved this issue by
> >> modifying dbcp source code.
> >> The bad part is dbcp can be built with jdk 1.4 only which made build
> >> system little bit complicated:-)
> >>
> >> If you can deliver encryption feature in next release, I'll be very
> >> pleased to use it.
> >>
> >> Regards,
> >> Yu Wang
> >>
> >>
> >> On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com> wrote:
> >> >
> >> > Yu Wang -
> >> >
> >> > OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware
> >> that a
> >> > change was made.
> >> >
> >> > Thanks -
> >> > Rick
> >> >
> >> > [1] https://issues.apache.org/jira/browse/OPENJPA-1089
> >> > --
> >> > View this message in context:
> >>
> http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
> >> > Sent from the OpenJPA Users mailing list archive at Nabble.com.
> >> >
> >>
> >
>
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Mike,
Thanks a lot!
Since I used DBCP datasource as following:
<property name="openjpa.ConnectionProperties"
value="driverClassName=oracle.jdbc.driver.OracleDriver,
url=jdbc:oracle:thin:@localhost:1521:orcl, username=XXX, password=XXX,
maxActive=8, maxWait=10000, poolPreparedStatements=true" />
May I encrypt a sub string of property value rather than full
property value string?
Anyway, when will this feature be available? In a new release or a
rolling patch?
Regards,
Yu Wang
On Fri, Aug 7, 2009 at 9:33 PM, Michael Dick<mi...@gmail.com> wrote:
> Hi Yu,
>
> At the moment our support allows you to specify an 'Encryption Provider'
> which handles the encryption / decryption of a password. We aren't providing
> a tool to do the actual encryption - just a plugin point for other tools.
>
> It sounds like you have written the encryption code in your extension for
> DBCP so it should be fairly easy to wrap in an encryption provider.
>
> Hope this helps,
> -mike
>
> On Fri, Aug 7, 2009 at 1:25 AM, wang yu <wa...@gmail.com> wrote:
>
>> Rick,
>> Thank you for your information. I have resolved this issue by
>> modifying dbcp source code.
>> The bad part is dbcp can be built with jdk 1.4 only which made build
>> system little bit complicated:-)
>>
>> If you can deliver encryption feature in next release, I'll be very
>> pleased to use it.
>>
>> Regards,
>> Yu Wang
>>
>>
>> On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com> wrote:
>> >
>> > Yu Wang -
>> >
>> > OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware
>> that a
>> > change was made.
>> >
>> > Thanks -
>> > Rick
>> >
>> > [1] https://issues.apache.org/jira/browse/OPENJPA-1089
>> > --
>> > View this message in context:
>> http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
>> > Sent from the OpenJPA Users mailing list archive at Nabble.com.
>> >
>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Michael Dick <mi...@gmail.com>.
Hi Yu,
At the moment our support allows you to specify an 'Encryption Provider'
which handles the encryption / decryption of a password. We aren't providing
a tool to do the actual encryption - just a plugin point for other tools.
It sounds like you have written the encryption code in your extension for
DBCP so it should be fairly easy to wrap in an encryption provider.
Hope this helps,
-mike
On Fri, Aug 7, 2009 at 1:25 AM, wang yu <wa...@gmail.com> wrote:
> Rick,
> Thank you for your information. I have resolved this issue by
> modifying dbcp source code.
> The bad part is dbcp can be built with jdk 1.4 only which made build
> system little bit complicated:-)
>
> If you can deliver encryption feature in next release, I'll be very
> pleased to use it.
>
> Regards,
> Yu Wang
>
>
> On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com> wrote:
> >
> > Yu Wang -
> >
> > OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware
> that a
> > change was made.
> >
> > Thanks -
> > Rick
> >
> > [1] https://issues.apache.org/jira/browse/OPENJPA-1089
> > --
> > View this message in context:
> http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
> > Sent from the OpenJPA Users mailing list archive at Nabble.com.
> >
>
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Rick,
Thank you for your information. I have resolved this issue by
modifying dbcp source code.
The bad part is dbcp can be built with jdk 1.4 only which made build
system little bit complicated:-)
If you can deliver encryption feature in next release, I'll be very
pleased to use it.
Regards,
Yu Wang
On Fri, Aug 7, 2009 at 5:22 AM, Rick Curtis<cu...@gmail.com> wrote:
>
> Yu Wang -
>
> OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a
> change was made.
>
> Thanks -
> Rick
>
> [1] https://issues.apache.org/jira/browse/OPENJPA-1089
> --
> View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
> Sent from the OpenJPA Users mailing list archive at Nabble.com.
>
Re: How to encrypt DB password in persistence.xml
Posted by Rick Curtis <cu...@gmail.com>.
Yu Wang -
OPENJPA-1089[1] wasn't your exact problem, but I want you to be aware that a
change was made.
Thanks -
Rick
[1] https://issues.apache.org/jira/browse/OPENJPA-1089
--
View this message in context: http://n2.nabble.com/How-to-encrypt-DB-password-in-persistence.xml-tp2868212p3400811.html
Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Kevin,
Thanks for your patient answer.
I'll try to resolve it in dbcp community.
Cheers,
Yu Wang
On Mon, May 18, 2009 at 9:03 PM, Kevin Sutter <kw...@gmail.com> wrote:
> Hi Yu Wang,
> My apologies, but I'm not an expert with DBCP. I just thought I would do a
> quick Google search to see what's out there and I found a few hits, one of
> which I posted to my previous reply. Since you seem to be interested in
> encrypting the password being sent in to DBCP, you will probably need to do
> something specific with the DBCP implementation either by modifying it
> directly (like you mentioned in one of your replies) or maybe by extending
> the BasicDataSource (my reference). I don't have any direct experience with
> either approach. You might want to try posting your question to the DBCP
> group [1].
>
> Please keep us informed of your progress. Thanks.
>
> Kevin
>
> [1] http://commons.apache.org/dbcp/
>
> On Mon, May 18, 2009 at 2:47 AM, wang yu <wa...@gmail.com> wrote:
>
>> Hi Kevin,
>> Thanks.
>> The link you gave indicate how to extend BasicDataSourceFactory. But I
>> guess this approach isn't feasible for OpenJPA.
>> I need to extend BasicDataSource directly, right?
>> And you mentioned "there were other instructions on extending the
>> BasicDataSource". Can you make it clearer?I found extending
>> BasicDataSource isn't very straightforward.
>>
>> Regards,
>> Yu Wang
>>
>> On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter <kw...@gmail.com> wrote:
>> > Hi Yu Wang,
>> > Or, you could develop an answer for OpenJPA and contribute it back to the
>> > project... :-) Providing an encryption capability for persistence.xml
>> > password values would be a nice feature. But, this would probably only
>> > apply to our openjpa.* properties...
>> >
>> > In your particular case where you are passing in all of the parameters to
>> > dbcp, I don't see how OpenJPA could help in this case. The URL is just
>> > passed through to dbcp, so any decryption of a password field would need
>> to
>> > be provided by dbcp.
>> >
>> > I did a quick search on this topic and found a few hits related to
>> > encrypting passwords used for dbcp. One link [1] indicated that using
>> > Tomcat 6.0 makes this a bit easier, but there were other instructions on
>> > extending the BasicDataSource. This link was specific to Tomcat's
>> > server.xml, but the idea could probably be extended to the
>> persistence.xml.
>> >
>> > Let us know what you come up with.
>> >
>> > Thanks,
>> > Kevin
>> >
>> > [1]
>> >
>> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
>> >
>> >
>> >
>> > On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
>> >
>> >> Hi Kevin,
>> >> Thank you. You had real good solutions but unfortunately neither of
>> >> them is feasible for our project.
>> >> We use Apache dbcp datasource to leverage DB connection pool and
>> >> tomcat 5.5 as app server.
>> >> Following is a fragment of our persistence.xml:
>> >> <property name="openjpa.ConnectionDriverName"
>> >> value="org.apache.commons.dbcp.BasicDataSource" />
>> >>
>> >> <property name="openjpa.ConnectionProperties"
>> >>
>> >> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
>> >> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
>> >> password=app, maxActive=30, maxWait=10000,
>> >> poolPreparedStatements=true" />
>> >>
>> >> How to encrypt password under this situation? Or should I adopt
>> >> alternative connection pool implementation to make password encryption
>> >> easier?
>> >>
>> >> if no better solution, I guess I only have two choices
>> >> 1. Give up apache dbcp.
>> >> 2. Modify source code of apache dbcp.
>> >>
>> >> Regards,
>> >> Yu Wang
>> >>
>> >>
>> >>
>> >>
>> >> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com>
>> wrote:
>> >> > Hi,
>> >> > JPA does not define this functionality. You could pass in the
>> password
>> >> via
>> >> > the application instead of hard-coding it in a persistence.xml. Or,
>> if
>> >> you
>> >> > are in an app server environment, you should use a jndi lookup of a
>> >> > datasource. This would be the most secure.
>> >> >
>> >> > Kevin
>> >> >
>> >> > On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
>> >> >
>> >> >> As title.
>> >> >>
>> >> >> Regards,
>> >> >> Yu Wang
>> >> >>
>> >> >
>> >>
>> >
>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Kevin Sutter <kw...@gmail.com>.
Hi Yu Wang,
My apologies, but I'm not an expert with DBCP. I just thought I would do a
quick Google search to see what's out there and I found a few hits, one of
which I posted to my previous reply. Since you seem to be interested in
encrypting the password being sent in to DBCP, you will probably need to do
something specific with the DBCP implementation either by modifying it
directly (like you mentioned in one of your replies) or maybe by extending
the BasicDataSource (my reference). I don't have any direct experience with
either approach. You might want to try posting your question to the DBCP
group [1].
Please keep us informed of your progress. Thanks.
Kevin
[1] http://commons.apache.org/dbcp/
On Mon, May 18, 2009 at 2:47 AM, wang yu <wa...@gmail.com> wrote:
> Hi Kevin,
> Thanks.
> The link you gave indicate how to extend BasicDataSourceFactory. But I
> guess this approach isn't feasible for OpenJPA.
> I need to extend BasicDataSource directly, right?
> And you mentioned "there were other instructions on extending the
> BasicDataSource". Can you make it clearer?I found extending
> BasicDataSource isn't very straightforward.
>
> Regards,
> Yu Wang
>
> On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter <kw...@gmail.com> wrote:
> > Hi Yu Wang,
> > Or, you could develop an answer for OpenJPA and contribute it back to the
> > project... :-) Providing an encryption capability for persistence.xml
> > password values would be a nice feature. But, this would probably only
> > apply to our openjpa.* properties...
> >
> > In your particular case where you are passing in all of the parameters to
> > dbcp, I don't see how OpenJPA could help in this case. The URL is just
> > passed through to dbcp, so any decryption of a password field would need
> to
> > be provided by dbcp.
> >
> > I did a quick search on this topic and found a few hits related to
> > encrypting passwords used for dbcp. One link [1] indicated that using
> > Tomcat 6.0 makes this a bit easier, but there were other instructions on
> > extending the BasicDataSource. This link was specific to Tomcat's
> > server.xml, but the idea could probably be extended to the
> persistence.xml.
> >
> > Let us know what you come up with.
> >
> > Thanks,
> > Kevin
> >
> > [1]
> >
> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
> >
> >
> >
> > On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
> >
> >> Hi Kevin,
> >> Thank you. You had real good solutions but unfortunately neither of
> >> them is feasible for our project.
> >> We use Apache dbcp datasource to leverage DB connection pool and
> >> tomcat 5.5 as app server.
> >> Following is a fragment of our persistence.xml:
> >> <property name="openjpa.ConnectionDriverName"
> >> value="org.apache.commons.dbcp.BasicDataSource" />
> >>
> >> <property name="openjpa.ConnectionProperties"
> >>
> >> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
> >> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
> >> password=app, maxActive=30, maxWait=10000,
> >> poolPreparedStatements=true" />
> >>
> >> How to encrypt password under this situation? Or should I adopt
> >> alternative connection pool implementation to make password encryption
> >> easier?
> >>
> >> if no better solution, I guess I only have two choices
> >> 1. Give up apache dbcp.
> >> 2. Modify source code of apache dbcp.
> >>
> >> Regards,
> >> Yu Wang
> >>
> >>
> >>
> >>
> >> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com>
> wrote:
> >> > Hi,
> >> > JPA does not define this functionality. You could pass in the
> password
> >> via
> >> > the application instead of hard-coding it in a persistence.xml. Or,
> if
> >> you
> >> > are in an app server environment, you should use a jndi lookup of a
> >> > datasource. This would be the most secure.
> >> >
> >> > Kevin
> >> >
> >> > On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
> >> >
> >> >> As title.
> >> >>
> >> >> Regards,
> >> >> Yu Wang
> >> >>
> >> >
> >>
> >
>
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Hi Kevin,
Thanks.
The link you gave indicate how to extend BasicDataSourceFactory. But I
guess this approach isn't feasible for OpenJPA.
I need to extend BasicDataSource directly, right?
And you mentioned "there were other instructions on extending the
BasicDataSource". Can you make it clearer?I found extending
BasicDataSource isn't very straightforward.
Regards,
Yu Wang
On Fri, May 15, 2009 at 9:56 PM, Kevin Sutter <kw...@gmail.com> wrote:
> Hi Yu Wang,
> Or, you could develop an answer for OpenJPA and contribute it back to the
> project... :-) Providing an encryption capability for persistence.xml
> password values would be a nice feature. But, this would probably only
> apply to our openjpa.* properties...
>
> In your particular case where you are passing in all of the parameters to
> dbcp, I don't see how OpenJPA could help in this case. The URL is just
> passed through to dbcp, so any decryption of a password field would need to
> be provided by dbcp.
>
> I did a quick search on this topic and found a few hits related to
> encrypting passwords used for dbcp. One link [1] indicated that using
> Tomcat 6.0 makes this a bit easier, but there were other instructions on
> extending the BasicDataSource. This link was specific to Tomcat's
> server.xml, but the idea could probably be extended to the persistence.xml.
>
> Let us know what you come up with.
>
> Thanks,
> Kevin
>
> [1]
> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
>
>
>
> On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
>
>> Hi Kevin,
>> Thank you. You had real good solutions but unfortunately neither of
>> them is feasible for our project.
>> We use Apache dbcp datasource to leverage DB connection pool and
>> tomcat 5.5 as app server.
>> Following is a fragment of our persistence.xml:
>> <property name="openjpa.ConnectionDriverName"
>> value="org.apache.commons.dbcp.BasicDataSource" />
>>
>> <property name="openjpa.ConnectionProperties"
>>
>> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
>> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
>> password=app, maxActive=30, maxWait=10000,
>> poolPreparedStatements=true" />
>>
>> How to encrypt password under this situation? Or should I adopt
>> alternative connection pool implementation to make password encryption
>> easier?
>>
>> if no better solution, I guess I only have two choices
>> 1. Give up apache dbcp.
>> 2. Modify source code of apache dbcp.
>>
>> Regards,
>> Yu Wang
>>
>>
>>
>>
>> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com> wrote:
>> > Hi,
>> > JPA does not define this functionality. You could pass in the password
>> via
>> > the application instead of hard-coding it in a persistence.xml. Or, if
>> you
>> > are in an app server environment, you should use a jndi lookup of a
>> > datasource. This would be the most secure.
>> >
>> > Kevin
>> >
>> > On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
>> >
>> >> As title.
>> >>
>> >> Regards,
>> >> Yu Wang
>> >>
>> >
>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Kevin Sutter <kw...@gmail.com>.
Hi Yu Wang,
Or, you could develop an answer for OpenJPA and contribute it back to the
project... :-) Providing an encryption capability for persistence.xml
password values would be a nice feature. But, this would probably only
apply to our openjpa.* properties...
In your particular case where you are passing in all of the parameters to
dbcp, I don't see how OpenJPA could help in this case. The URL is just
passed through to dbcp, so any decryption of a password field would need to
be provided by dbcp.
I did a quick search on this topic and found a few hits related to
encrypting passwords used for dbcp. One link [1] indicated that using
Tomcat 6.0 makes this a bit easier, but there were other instructions on
extending the BasicDataSource. This link was specific to Tomcat's
server.xml, but the idea could probably be extended to the persistence.xml.
Let us know what you come up with.
Thanks,
Kevin
[1]
http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
On Fri, May 15, 2009 at 2:33 AM, wang yu <wa...@gmail.com> wrote:
> Hi Kevin,
> Thank you. You had real good solutions but unfortunately neither of
> them is feasible for our project.
> We use Apache dbcp datasource to leverage DB connection pool and
> tomcat 5.5 as app server.
> Following is a fragment of our persistence.xml:
> <property name="openjpa.ConnectionDriverName"
> value="org.apache.commons.dbcp.BasicDataSource" />
>
> <property name="openjpa.ConnectionProperties"
>
> value="driverClassName=org.apache.derby.jdbc.ClientDriver,
> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
> password=app, maxActive=30, maxWait=10000,
> poolPreparedStatements=true" />
>
> How to encrypt password under this situation? Or should I adopt
> alternative connection pool implementation to make password encryption
> easier?
>
> if no better solution, I guess I only have two choices
> 1. Give up apache dbcp.
> 2. Modify source code of apache dbcp.
>
> Regards,
> Yu Wang
>
>
>
>
> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com> wrote:
> > Hi,
> > JPA does not define this functionality. You could pass in the password
> via
> > the application instead of hard-coding it in a persistence.xml. Or, if
> you
> > are in an app server environment, you should use a jndi lookup of a
> > datasource. This would be the most secure.
> >
> > Kevin
> >
> > On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
> >
> >> As title.
> >>
> >> Regards,
> >> Yu Wang
> >>
> >
>
Re: How to encrypt DB password in persistence.xml
Posted by wang yu <wa...@gmail.com>.
Hi Kevin,
Thank you. You had real good solutions but unfortunately neither of
them is feasible for our project.
We use Apache dbcp datasource to leverage DB connection pool and
tomcat 5.5 as app server.
Following is a fragment of our persistence.xml:
<property name="openjpa.ConnectionDriverName"
value="org.apache.commons.dbcp.BasicDataSource" />
<property name="openjpa.ConnectionProperties"
value="driverClassName=org.apache.derby.jdbc.ClientDriver,
url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
password=app, maxActive=30, maxWait=10000,
poolPreparedStatements=true" />
How to encrypt password under this situation? Or should I adopt
alternative connection pool implementation to make password encryption
easier?
if no better solution, I guess I only have two choices
1. Give up apache dbcp.
2. Modify source code of apache dbcp.
Regards,
Yu Wang
On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kw...@gmail.com> wrote:
> Hi,
> JPA does not define this functionality. You could pass in the password via
> the application instead of hard-coding it in a persistence.xml. Or, if you
> are in an app server environment, you should use a jndi lookup of a
> datasource. This would be the most secure.
>
> Kevin
>
> On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
>
>> As title.
>>
>> Regards,
>> Yu Wang
>>
>
Re: How to encrypt DB password in persistence.xml
Posted by Kevin Sutter <kw...@gmail.com>.
Hi,
JPA does not define this functionality. You could pass in the password via
the application instead of hard-coding it in a persistence.xml. Or, if you
are in an app server environment, you should use a jndi lookup of a
datasource. This would be the most secure.
Kevin
On Tue, May 12, 2009 at 4:31 AM, wang yu <wa...@gmail.com> wrote:
> As title.
>
> Regards,
> Yu Wang
>