You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Alex Soto <as...@gmail.com> on 2015/06/09 16:39:49 UTC
CDI and org.apache.openejb.cipher.PasswordCipher
Hi guys, can I use CDI annotations in implementations of
org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I have tried
but no injection occurs, and to know if it is because I am doing something
wrong or simply it is not supported.
Alex.
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Romain Manni-Bucau <rm...@gmail.com>.
https://issues.apache.org/jira/browse/TOMEE-1603
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-06-11 3:37 GMT+02:00 Romain Manni-Bucau <rm...@gmail.com>:
> Yeah like a class you instantiate yourself or not cdi managed (like jpa
> entities). Scanned but not managed.
> Le 10 juin 2015 05:05, "Alex Soto" <as...@gmail.com> a écrit :
>
>> Hi I would like to share this experience with CDI and PasswordCipher:
>>
>> If I do next code:
>>
>> public class SecurePasswordCipher implements PasswordCipher {
>>
>> @Inject
>>
>> MasterPasswordProvider masterPasswordProvider;
>> }
>>
>> And no MasterPasswordProvider implementation is provided, I get next
>> exception:
>>
>> Caused by: javax.enterprise.inject.UnsatisfiedResolutionException: Api
>> type
>> [com.scytl.multitenant.MasterPasswordProvider] is not found with the
>> qualifiers
>>
>> Qualifiers: [@javax.enterprise.inject.Default()]
>>
>> for injection into Field Injection Point, field name :
>> masterPasswordProvider, Bean Owner : [SecurePasswordCipher, Name:null,
>> WebBeans Type:MANAGED, API
>>
>> Types:[com.scytl.multitenant.SecurePasswordCipher,java.lang.Object,org.apache.openejb.cipher.PasswordCipher],
>> Qualifiers:[javax.enterprise.inject.Default,javax.enterprise.inject.Any]]
>>
>>
>> But I create an implementation:
>>
>> Then this exception is not thrown, in fact it works all, but the injection
>> is null. I don't know if this helps you or not.
>>
>>
>> Alex.
>>
>>
>> El dc., 10 juny 2015 a les 10:35, Romain Manni-Bucau (<
>> rmannibucau@gmail.com>)
>> va escriure:
>>
>> > That's a good point!
>> >
>> > Pre-side note/history: on a pure PasswordCipher aspect it was not an
>> issue
>> > until recently (j8 something) cause constant pool was not used/usable
>> for
>> > all strings.
>> >
>> > On a pure technical aspect and our API: most of modern API use a String
>> > (datasources, JavaEE API like HttpServletRequest...or JavaSE with
>> > DriverManager) so we can't really help in our own API (ie we can fix it
>> but
>> > then you get the same issue elswhere).
>> >
>> > So yes there is potentially an issue but if you think more to which
>> kind of
>> > attack you can get I would worry about a lot of other things before
>> > worrying about password since it requires already advanced accesses to
>> the
>> > box.
>> >
>> >
>> >
>> > Romain Manni-Bucau
>> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > <http://rmannibucau.wordpress.com> | Github <
>> > https://github.com/rmannibucau> |
>> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> > <http://www.tomitribe.com>
>> >
>> > 2015-06-10 10:17 GMT+02:00 Alex Soto <as...@gmail.com>:
>> >
>> > > One thing about PasswordCipher, because you are planning to rework :)
>> My
>> > > security team (which sometimes are a bit crazy) noticed me that this
>> > > interface deals with passwords as Strings. This can be a security
>> problem
>> > > since Strings are immutable and not destroyed (they are pooled), so it
>> > can
>> > > be a security problem since instances are always live.
>> > > In fact in my company we always treat passwords as byte[].
>> > >
>> > > We even transform char[] using this algorithm:
>> > >
>> > > ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password));
>> > > byte[] asBytes = new byte[bb.remaining()];
>> > > bb.get(asBytes);
>> > >
>> > > So paranoic level is high I know, but at the end it is about security.
>> > >
>> > > WDYT?
>> > >
>> > > El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (<
>> > > rmannibucau@gmail.com>)
>> > > va escriure:
>> > >
>> > > > yeah, fully agree.
>> > > >
>> > > > The few points which make PasswordCipher different are:
>> > > > - they are "prototype" (short live instances)
>> > > > - they are not bound to any application by default (so no cdi)
>> > > >
>> > > > That said it shouldnt be hard to get a PasswordCipher which is
>> > actually a
>> > > > cdi bridge one (ie we dont add cdi by default but allow to ask for
>> it):
>> > > > cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge
>> would:
>> > > > 1) ensure there is a "current" cdi context
>> > > > 2) create the instance
>> > > > 3) decode as expected
>> > > > 4) release the creation context is the instance was not normal
>> scoped
>> > > >
>> > > > In term of impl it can just be a plain olf proxy delegating to an
>> > > > invocation handler with this logic.
>> > > >
>> > > > wdyt? Do you want to have a try? Any other idea we could use?
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > Romain Manni-Bucau
>> > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > > <http://rmannibucau.wordpress.com> | Github <
>> > > > https://github.com/rmannibucau> |
>> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
>> > > > <http://www.tomitribe.com>
>> > > >
>> > > > 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <
>> jgallimore@tomitribe.com
>> > >:
>> > > >
>> > > > > Go for it :) - not sure what's involved off the top of my head,
>> but
>> > am
>> > > > > happy to help dig into the code.
>> > > > >
>> > > > > Jon
>> > > > >
>> > > > > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com>
>> > wrote:
>> > > > >
>> > > > > > Ok no problem at all because I will implement the logic I need
>> as a
>> > > JDK
>> > > > > > service, but I think that will be great to have all classes that
>> > can
>> > > be
>> > > > > > extended in TomEE by a developer to be CDI aware like
>> > AbstractRouter.
>> > > > > >
>> > > > > > If you want I can send this on devel mailing list.
>> > > > > >
>> > > > > > Alex
>> > > > > >
>> > > > > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
>> > > > > > jlmonteiro@tomitribe.com>) va escriure:
>> > > > > >
>> > > > > > > No supported at the minute
>> > > > > > >
>> > > > > > > --
>> > > > > > > Jean-Louis Monteiro
>> > > > > > > http://twitter.com/jlouismonteiro
>> > > > > > > http://www.tomitribe.com
>> > > > > > >
>> > > > > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
>> > > > > > rmannibucau@gmail.com>
>> > > > > > > wrote:
>> > > > > > >
>> > > > > > > > think it is not supported
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > Romain Manni-Bucau
>> > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
>> > > > > > > > <http://rmannibucau.wordpress.com> | Github <
>> > > > > > > > https://github.com/rmannibucau> |
>> > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
>> > Tomitriber
>> > > > > > > > <http://www.tomitribe.com>
>> > > > > > > >
>> > > > > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
>> > > > > > > >
>> > > > > > > > > Hi guys, can I use CDI annotations in implementations of
>> > > > > > > > >
>> > > > > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB
>> > 4.7.2? I
>> > > > > have
>> > > > > > > > tried
>> > > > > > > > > but no injection occurs, and to know if it is because I am
>> > > doing
>> > > > > > > > something
>> > > > > > > > > wrong or simply it is not supported.
>> > > > > > > > >
>> > > > > > > > >
>> > > > > > > > > Alex.
>> > > > > > > > >
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > Jonathan Gallimore
>> > > > > http://twitter.com/jongallimore
>> > > > > http://www.tomitribe.com
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Yeah like a class you instantiate yourself or not cdi managed (like jpa
entities). Scanned but not managed.
Le 10 juin 2015 05:05, "Alex Soto" <as...@gmail.com> a écrit :
> Hi I would like to share this experience with CDI and PasswordCipher:
>
> If I do next code:
>
> public class SecurePasswordCipher implements PasswordCipher {
>
> @Inject
>
> MasterPasswordProvider masterPasswordProvider;
> }
>
> And no MasterPasswordProvider implementation is provided, I get next
> exception:
>
> Caused by: javax.enterprise.inject.UnsatisfiedResolutionException: Api type
> [com.scytl.multitenant.MasterPasswordProvider] is not found with the
> qualifiers
>
> Qualifiers: [@javax.enterprise.inject.Default()]
>
> for injection into Field Injection Point, field name :
> masterPasswordProvider, Bean Owner : [SecurePasswordCipher, Name:null,
> WebBeans Type:MANAGED, API
>
> Types:[com.scytl.multitenant.SecurePasswordCipher,java.lang.Object,org.apache.openejb.cipher.PasswordCipher],
> Qualifiers:[javax.enterprise.inject.Default,javax.enterprise.inject.Any]]
>
>
> But I create an implementation:
>
> Then this exception is not thrown, in fact it works all, but the injection
> is null. I don't know if this helps you or not.
>
>
> Alex.
>
>
> El dc., 10 juny 2015 a les 10:35, Romain Manni-Bucau (<
> rmannibucau@gmail.com>)
> va escriure:
>
> > That's a good point!
> >
> > Pre-side note/history: on a pure PasswordCipher aspect it was not an
> issue
> > until recently (j8 something) cause constant pool was not used/usable for
> > all strings.
> >
> > On a pure technical aspect and our API: most of modern API use a String
> > (datasources, JavaEE API like HttpServletRequest...or JavaSE with
> > DriverManager) so we can't really help in our own API (ie we can fix it
> but
> > then you get the same issue elswhere).
> >
> > So yes there is potentially an issue but if you think more to which kind
> of
> > attack you can get I would worry about a lot of other things before
> > worrying about password since it requires already advanced accesses to
> the
> > box.
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-06-10 10:17 GMT+02:00 Alex Soto <as...@gmail.com>:
> >
> > > One thing about PasswordCipher, because you are planning to rework :)
> My
> > > security team (which sometimes are a bit crazy) noticed me that this
> > > interface deals with passwords as Strings. This can be a security
> problem
> > > since Strings are immutable and not destroyed (they are pooled), so it
> > can
> > > be a security problem since instances are always live.
> > > In fact in my company we always treat passwords as byte[].
> > >
> > > We even transform char[] using this algorithm:
> > >
> > > ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password));
> > > byte[] asBytes = new byte[bb.remaining()];
> > > bb.get(asBytes);
> > >
> > > So paranoic level is high I know, but at the end it is about security.
> > >
> > > WDYT?
> > >
> > > El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (<
> > > rmannibucau@gmail.com>)
> > > va escriure:
> > >
> > > > yeah, fully agree.
> > > >
> > > > The few points which make PasswordCipher different are:
> > > > - they are "prototype" (short live instances)
> > > > - they are not bound to any application by default (so no cdi)
> > > >
> > > > That said it shouldnt be hard to get a PasswordCipher which is
> > actually a
> > > > cdi bridge one (ie we dont add cdi by default but allow to ask for
> it):
> > > > cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would:
> > > > 1) ensure there is a "current" cdi context
> > > > 2) create the instance
> > > > 3) decode as expected
> > > > 4) release the creation context is the instance was not normal scoped
> > > >
> > > > In term of impl it can just be a plain olf proxy delegating to an
> > > > invocation handler with this logic.
> > > >
> > > > wdyt? Do you want to have a try? Any other idea we could use?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > <http://rmannibucau.wordpress.com> | Github <
> > > > https://github.com/rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > > <http://www.tomitribe.com>
> > > >
> > > > 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <
> jgallimore@tomitribe.com
> > >:
> > > >
> > > > > Go for it :) - not sure what's involved off the top of my head, but
> > am
> > > > > happy to help dig into the code.
> > > > >
> > > > > Jon
> > > > >
> > > > > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com>
> > wrote:
> > > > >
> > > > > > Ok no problem at all because I will implement the logic I need
> as a
> > > JDK
> > > > > > service, but I think that will be great to have all classes that
> > can
> > > be
> > > > > > extended in TomEE by a developer to be CDI aware like
> > AbstractRouter.
> > > > > >
> > > > > > If you want I can send this on devel mailing list.
> > > > > >
> > > > > > Alex
> > > > > >
> > > > > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> > > > > > jlmonteiro@tomitribe.com>) va escriure:
> > > > > >
> > > > > > > No supported at the minute
> > > > > > >
> > > > > > > --
> > > > > > > Jean-Louis Monteiro
> > > > > > > http://twitter.com/jlouismonteiro
> > > > > > > http://www.tomitribe.com
> > > > > > >
> > > > > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> > > > > > rmannibucau@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > think it is not supported
> > > > > > > >
> > > > > > > >
> > > > > > > > Romain Manni-Bucau
> > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > > > > > > > https://github.com/rmannibucau> |
> > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> > Tomitriber
> > > > > > > > <http://www.tomitribe.com>
> > > > > > > >
> > > > > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > > > > > > >
> > > > > > > > > Hi guys, can I use CDI annotations in implementations of
> > > > > > > > >
> > > > > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB
> > 4.7.2? I
> > > > > have
> > > > > > > > tried
> > > > > > > > > but no injection occurs, and to know if it is because I am
> > > doing
> > > > > > > > something
> > > > > > > > > wrong or simply it is not supported.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Alex.
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Jonathan Gallimore
> > > > > http://twitter.com/jongallimore
> > > > > http://www.tomitribe.com
> > > > >
> > > >
> > >
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Alex Soto <as...@gmail.com>.
Hi I would like to share this experience with CDI and PasswordCipher:
If I do next code:
public class SecurePasswordCipher implements PasswordCipher {
@Inject
MasterPasswordProvider masterPasswordProvider;
}
And no MasterPasswordProvider implementation is provided, I get next
exception:
Caused by: javax.enterprise.inject.UnsatisfiedResolutionException: Api type
[com.scytl.multitenant.MasterPasswordProvider] is not found with the
qualifiers
Qualifiers: [@javax.enterprise.inject.Default()]
for injection into Field Injection Point, field name :
masterPasswordProvider, Bean Owner : [SecurePasswordCipher, Name:null,
WebBeans Type:MANAGED, API
Types:[com.scytl.multitenant.SecurePasswordCipher,java.lang.Object,org.apache.openejb.cipher.PasswordCipher],
Qualifiers:[javax.enterprise.inject.Default,javax.enterprise.inject.Any]]
But I create an implementation:
Then this exception is not thrown, in fact it works all, but the injection
is null. I don't know if this helps you or not.
Alex.
El dc., 10 juny 2015 a les 10:35, Romain Manni-Bucau (<rm...@gmail.com>)
va escriure:
> That's a good point!
>
> Pre-side note/history: on a pure PasswordCipher aspect it was not an issue
> until recently (j8 something) cause constant pool was not used/usable for
> all strings.
>
> On a pure technical aspect and our API: most of modern API use a String
> (datasources, JavaEE API like HttpServletRequest...or JavaSE with
> DriverManager) so we can't really help in our own API (ie we can fix it but
> then you get the same issue elswhere).
>
> So yes there is potentially an issue but if you think more to which kind of
> attack you can get I would worry about a lot of other things before
> worrying about password since it requires already advanced accesses to the
> box.
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-06-10 10:17 GMT+02:00 Alex Soto <as...@gmail.com>:
>
> > One thing about PasswordCipher, because you are planning to rework :) My
> > security team (which sometimes are a bit crazy) noticed me that this
> > interface deals with passwords as Strings. This can be a security problem
> > since Strings are immutable and not destroyed (they are pooled), so it
> can
> > be a security problem since instances are always live.
> > In fact in my company we always treat passwords as byte[].
> >
> > We even transform char[] using this algorithm:
> >
> > ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password));
> > byte[] asBytes = new byte[bb.remaining()];
> > bb.get(asBytes);
> >
> > So paranoic level is high I know, but at the end it is about security.
> >
> > WDYT?
> >
> > El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (<
> > rmannibucau@gmail.com>)
> > va escriure:
> >
> > > yeah, fully agree.
> > >
> > > The few points which make PasswordCipher different are:
> > > - they are "prototype" (short live instances)
> > > - they are not bound to any application by default (so no cdi)
> > >
> > > That said it shouldnt be hard to get a PasswordCipher which is
> actually a
> > > cdi bridge one (ie we dont add cdi by default but allow to ask for it):
> > > cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would:
> > > 1) ensure there is a "current" cdi context
> > > 2) create the instance
> > > 3) decode as expected
> > > 4) release the creation context is the instance was not normal scoped
> > >
> > > In term of impl it can just be a plain olf proxy delegating to an
> > > invocation handler with this logic.
> > >
> > > wdyt? Do you want to have a try? Any other idea we could use?
> > >
> > >
> > >
> > >
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <jgallimore@tomitribe.com
> >:
> > >
> > > > Go for it :) - not sure what's involved off the top of my head, but
> am
> > > > happy to help dig into the code.
> > > >
> > > > Jon
> > > >
> > > > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com>
> wrote:
> > > >
> > > > > Ok no problem at all because I will implement the logic I need as a
> > JDK
> > > > > service, but I think that will be great to have all classes that
> can
> > be
> > > > > extended in TomEE by a developer to be CDI aware like
> AbstractRouter.
> > > > >
> > > > > If you want I can send this on devel mailing list.
> > > > >
> > > > > Alex
> > > > >
> > > > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> > > > > jlmonteiro@tomitribe.com>) va escriure:
> > > > >
> > > > > > No supported at the minute
> > > > > >
> > > > > > --
> > > > > > Jean-Louis Monteiro
> > > > > > http://twitter.com/jlouismonteiro
> > > > > > http://www.tomitribe.com
> > > > > >
> > > > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> > > > > rmannibucau@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > think it is not supported
> > > > > > >
> > > > > > >
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > > <http://rmannibucau.wordpress.com> | Github <
> > > > > > > https://github.com/rmannibucau> |
> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> |
> Tomitriber
> > > > > > > <http://www.tomitribe.com>
> > > > > > >
> > > > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > > > > > >
> > > > > > > > Hi guys, can I use CDI annotations in implementations of
> > > > > > > >
> > > > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB
> 4.7.2? I
> > > > have
> > > > > > > tried
> > > > > > > > but no injection occurs, and to know if it is because I am
> > doing
> > > > > > > something
> > > > > > > > wrong or simply it is not supported.
> > > > > > > >
> > > > > > > >
> > > > > > > > Alex.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Jonathan Gallimore
> > > > http://twitter.com/jongallimore
> > > > http://www.tomitribe.com
> > > >
> > >
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Romain Manni-Bucau <rm...@gmail.com>.
That's a good point!
Pre-side note/history: on a pure PasswordCipher aspect it was not an issue
until recently (j8 something) cause constant pool was not used/usable for
all strings.
On a pure technical aspect and our API: most of modern API use a String
(datasources, JavaEE API like HttpServletRequest...or JavaSE with
DriverManager) so we can't really help in our own API (ie we can fix it but
then you get the same issue elswhere).
So yes there is potentially an issue but if you think more to which kind of
attack you can get I would worry about a lot of other things before
worrying about password since it requires already advanced accesses to the
box.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-06-10 10:17 GMT+02:00 Alex Soto <as...@gmail.com>:
> One thing about PasswordCipher, because you are planning to rework :) My
> security team (which sometimes are a bit crazy) noticed me that this
> interface deals with passwords as Strings. This can be a security problem
> since Strings are immutable and not destroyed (they are pooled), so it can
> be a security problem since instances are always live.
> In fact in my company we always treat passwords as byte[].
>
> We even transform char[] using this algorithm:
>
> ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password));
> byte[] asBytes = new byte[bb.remaining()];
> bb.get(asBytes);
>
> So paranoic level is high I know, but at the end it is about security.
>
> WDYT?
>
> El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (<
> rmannibucau@gmail.com>)
> va escriure:
>
> > yeah, fully agree.
> >
> > The few points which make PasswordCipher different are:
> > - they are "prototype" (short live instances)
> > - they are not bound to any application by default (so no cdi)
> >
> > That said it shouldnt be hard to get a PasswordCipher which is actually a
> > cdi bridge one (ie we dont add cdi by default but allow to ask for it):
> > cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would:
> > 1) ensure there is a "current" cdi context
> > 2) create the instance
> > 3) decode as expected
> > 4) release the creation context is the instance was not normal scoped
> >
> > In term of impl it can just be a plain olf proxy delegating to an
> > invocation handler with this logic.
> >
> > wdyt? Do you want to have a try? Any other idea we could use?
> >
> >
> >
> >
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <jg...@tomitribe.com>:
> >
> > > Go for it :) - not sure what's involved off the top of my head, but am
> > > happy to help dig into the code.
> > >
> > > Jon
> > >
> > > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com> wrote:
> > >
> > > > Ok no problem at all because I will implement the logic I need as a
> JDK
> > > > service, but I think that will be great to have all classes that can
> be
> > > > extended in TomEE by a developer to be CDI aware like AbstractRouter.
> > > >
> > > > If you want I can send this on devel mailing list.
> > > >
> > > > Alex
> > > >
> > > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> > > > jlmonteiro@tomitribe.com>) va escriure:
> > > >
> > > > > No supported at the minute
> > > > >
> > > > > --
> > > > > Jean-Louis Monteiro
> > > > > http://twitter.com/jlouismonteiro
> > > > > http://www.tomitribe.com
> > > > >
> > > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> > > > rmannibucau@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > think it is not supported
> > > > > >
> > > > > >
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > > <http://rmannibucau.wordpress.com> | Github <
> > > > > > https://github.com/rmannibucau> |
> > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > > > > <http://www.tomitribe.com>
> > > > > >
> > > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > > > > >
> > > > > > > Hi guys, can I use CDI annotations in implementations of
> > > > > > >
> > > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I
> > > have
> > > > > > tried
> > > > > > > but no injection occurs, and to know if it is because I am
> doing
> > > > > > something
> > > > > > > wrong or simply it is not supported.
> > > > > > >
> > > > > > >
> > > > > > > Alex.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Jonathan Gallimore
> > > http://twitter.com/jongallimore
> > > http://www.tomitribe.com
> > >
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Alex Soto <as...@gmail.com>.
One thing about PasswordCipher, because you are planning to rework :) My
security team (which sometimes are a bit crazy) noticed me that this
interface deals with passwords as Strings. This can be a security problem
since Strings are immutable and not destroyed (they are pooled), so it can
be a security problem since instances are always live.
In fact in my company we always treat passwords as byte[].
We even transform char[] using this algorithm:
ByteBuffer bb = CHARSET.encode(CharBuffer.wrap(password));
byte[] asBytes = new byte[bb.remaining()];
bb.get(asBytes);
So paranoic level is high I know, but at the end it is about security.
WDYT?
El dc., 10 juny 2015 a les 10:01, Romain Manni-Bucau (<rm...@gmail.com>)
va escriure:
> yeah, fully agree.
>
> The few points which make PasswordCipher different are:
> - they are "prototype" (short live instances)
> - they are not bound to any application by default (so no cdi)
>
> That said it shouldnt be hard to get a PasswordCipher which is actually a
> cdi bridge one (ie we dont add cdi by default but allow to ask for it):
> cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would:
> 1) ensure there is a "current" cdi context
> 2) create the instance
> 3) decode as expected
> 4) release the creation context is the instance was not normal scoped
>
> In term of impl it can just be a plain olf proxy delegating to an
> invocation handler with this logic.
>
> wdyt? Do you want to have a try? Any other idea we could use?
>
>
>
>
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <jg...@tomitribe.com>:
>
> > Go for it :) - not sure what's involved off the top of my head, but am
> > happy to help dig into the code.
> >
> > Jon
> >
> > On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com> wrote:
> >
> > > Ok no problem at all because I will implement the logic I need as a JDK
> > > service, but I think that will be great to have all classes that can be
> > > extended in TomEE by a developer to be CDI aware like AbstractRouter.
> > >
> > > If you want I can send this on devel mailing list.
> > >
> > > Alex
> > >
> > > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> > > jlmonteiro@tomitribe.com>) va escriure:
> > >
> > > > No supported at the minute
> > > >
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> > > rmannibucau@gmail.com>
> > > > wrote:
> > > >
> > > > > think it is not supported
> > > > >
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > > <http://rmannibucau.wordpress.com> | Github <
> > > > > https://github.com/rmannibucau> |
> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > > > <http://www.tomitribe.com>
> > > > >
> > > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > > > >
> > > > > > Hi guys, can I use CDI annotations in implementations of
> > > > > >
> > > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I
> > have
> > > > > tried
> > > > > > but no injection occurs, and to know if it is because I am doing
> > > > > something
> > > > > > wrong or simply it is not supported.
> > > > > >
> > > > > >
> > > > > > Alex.
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Jonathan Gallimore
> > http://twitter.com/jongallimore
> > http://www.tomitribe.com
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Romain Manni-Bucau <rm...@gmail.com>.
yeah, fully agree.
The few points which make PasswordCipher different are:
- they are "prototype" (short live instances)
- they are not bound to any application by default (so no cdi)
That said it shouldnt be hard to get a PasswordCipher which is actually a
cdi bridge one (ie we dont add cdi by default but allow to ask for it):
cipher:cdi:org.supercompany.SuperPwdCipher:encoded. The bridge would:
1) ensure there is a "current" cdi context
2) create the instance
3) decode as expected
4) release the creation context is the instance was not normal scoped
In term of impl it can just be a plain olf proxy delegating to an
invocation handler with this logic.
wdyt? Do you want to have a try? Any other idea we could use?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-06-10 9:48 GMT+02:00 Jonathan Gallimore <jg...@tomitribe.com>:
> Go for it :) - not sure what's involved off the top of my head, but am
> happy to help dig into the code.
>
> Jon
>
> On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com> wrote:
>
> > Ok no problem at all because I will implement the logic I need as a JDK
> > service, but I think that will be great to have all classes that can be
> > extended in TomEE by a developer to be CDI aware like AbstractRouter.
> >
> > If you want I can send this on devel mailing list.
> >
> > Alex
> >
> > El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> > jlmonteiro@tomitribe.com>) va escriure:
> >
> > > No supported at the minute
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> > rmannibucau@gmail.com>
> > > wrote:
> > >
> > > > think it is not supported
> > > >
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > > <http://rmannibucau.wordpress.com> | Github <
> > > > https://github.com/rmannibucau> |
> > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > > <http://www.tomitribe.com>
> > > >
> > > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > > >
> > > > > Hi guys, can I use CDI annotations in implementations of
> > > > >
> > > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I
> have
> > > > tried
> > > > > but no injection occurs, and to know if it is because I am doing
> > > > something
> > > > > wrong or simply it is not supported.
> > > > >
> > > > >
> > > > > Alex.
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Jonathan Gallimore
> http://twitter.com/jongallimore
> http://www.tomitribe.com
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Jonathan Gallimore <jg...@tomitribe.com>.
Go for it :) - not sure what's involved off the top of my head, but am
happy to help dig into the code.
Jon
On Wed, Jun 10, 2015 at 7:42 AM, Alex Soto <as...@gmail.com> wrote:
> Ok no problem at all because I will implement the logic I need as a JDK
> service, but I think that will be great to have all classes that can be
> extended in TomEE by a developer to be CDI aware like AbstractRouter.
>
> If you want I can send this on devel mailing list.
>
> Alex
>
> El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
> jlmonteiro@tomitribe.com>) va escriure:
>
> > No supported at the minute
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> > On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <
> rmannibucau@gmail.com>
> > wrote:
> >
> > > think it is not supported
> > >
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > > <http://rmannibucau.wordpress.com> | Github <
> > > https://github.com/rmannibucau> |
> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > > <http://www.tomitribe.com>
> > >
> > > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> > >
> > > > Hi guys, can I use CDI annotations in implementations of
> > > >
> > > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I have
> > > tried
> > > > but no injection occurs, and to know if it is because I am doing
> > > something
> > > > wrong or simply it is not supported.
> > > >
> > > >
> > > > Alex.
> > > >
> > >
> >
>
--
Jonathan Gallimore
http://twitter.com/jongallimore
http://www.tomitribe.com
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Alex Soto <as...@gmail.com>.
Ok no problem at all because I will implement the logic I need as a JDK
service, but I think that will be great to have all classes that can be
extended in TomEE by a developer to be CDI aware like AbstractRouter.
If you want I can send this on devel mailing list.
Alex
El dt., 9 juny 2015 a les 21:41, Jean-Louis Monteiro (<
jlmonteiro@tomitribe.com>) va escriure:
> No supported at the minute
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
> On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <rm...@gmail.com>
> wrote:
>
> > think it is not supported
> >
> >
> > Romain Manni-Bucau
> > @rmannibucau <https://twitter.com/rmannibucau> | Blog
> > <http://rmannibucau.wordpress.com> | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> > <http://www.tomitribe.com>
> >
> > 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> >
> > > Hi guys, can I use CDI annotations in implementations of
> > >
> > > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I have
> > tried
> > > but no injection occurs, and to know if it is because I am doing
> > something
> > > wrong or simply it is not supported.
> > >
> > >
> > > Alex.
> > >
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
No supported at the minute
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Jun 9, 2015 at 4:41 PM, Romain Manni-Bucau <rm...@gmail.com>
wrote:
> think it is not supported
>
>
> Romain Manni-Bucau
> @rmannibucau <https://twitter.com/rmannibucau> | Blog
> <http://rmannibucau.wordpress.com> | Github <
> https://github.com/rmannibucau> |
> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
> <http://www.tomitribe.com>
>
> 2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
>
> > Hi guys, can I use CDI annotations in implementations of
> >
> > org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I have
> tried
> > but no injection occurs, and to know if it is because I am doing
> something
> > wrong or simply it is not supported.
> >
> >
> > Alex.
> >
>
Re: CDI and org.apache.openejb.cipher.PasswordCipher
Posted by Romain Manni-Bucau <rm...@gmail.com>.
think it is not supported
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Tomitriber
<http://www.tomitribe.com>
2015-06-09 16:39 GMT+02:00 Alex Soto <as...@gmail.com>:
> Hi guys, can I use CDI annotations in implementations of
>
> org.apache.openejb.cipher.PasswordCipher using OpenEJB 4.7.2? I have tried
> but no injection occurs, and to know if it is because I am doing something
> wrong or simply it is not supported.
>
>
> Alex.
>