You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "jan ancajas (JIRA)" <ji...@codehaus.org> on 2008/11/12 09:47:13 UTC
[jira] Created: (CONTINUUM-1974) JDBC Password obfuscation support
JDBC Password obfuscation support
---------------------------------
Key: CONTINUUM-1974
URL: http://jira.codehaus.org/browse/CONTINUUM-1974
Project: Continuum
Issue Type: New Feature
Components: Web - Security
Affects Versions: Future
Reporter: jan ancajas
We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1974) JDBC Password obfuscation support
Posted by "jan ancajas (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
jan ancajas updated CONTINUUM-1974:
-----------------------------------
Attachment: CONTINUUM-1974-continuum-commons.patch
attach patch + unit test.
I created an adapter to be used by any vendor specific dataSource so that we can pass an obfuscated password. Then we will just have to modify the jetty-env.xml to use that adapter.
e.g. :
original entry:
{noformat}
<New id="continuum" class="org.mortbay.jetty.plus.naming.Resource">
<Arg>jdbc/continuum</Arg>
<Arg>
<New class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource">
<Set name="serverName">localhost</Set>
<Set name="databaseName">maestro_continuum</Set>
<Set name="user">root</Set>
<Set name="password">admin123</Set>
</New>
</Arg>
</New>
{noformat}
modified entry:
{noformat}
<New id="continuum" class="org.mortbay.jetty.plus.naming.Resource">
<Arg>jdbc/continuum</Arg>
<Arg>
<New class="org.apache.maven.continuum.utils.SecuredDataSourceAdapter">
<Set name="dataSource">
<New class="com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource">
<Set name="serverName">localhost</Set>
<Set name="databaseName">maestro_continuum</Set>
<Set name="user">root</Set>
<!--Set name="password">admin123</Set-->
</New>
</Set>
<Set name="password">OBF:1igd1iup1kfv1vne1vno1kcj1irx1idt</Set>
</New>
</New>
{noformat}
The obfuscated password is generated using the steps from : http://docs.codehaus.org/display/JETTY/Securing+Passwords
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: Future
> Reporter: jan ancajas
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=176082#action_176082 ]
Emmanuel Venisse commented on CONTINUUM-1974:
---------------------------------------------
yes, I think too it would be better to move this patch to Jetty
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=174081#action_174081 ]
Maria Catherine Tan commented on CONTINUUM-1974:
------------------------------------------------
Password is in jetty-security. We're using jetty 6.1.11 and jetty-security version starts with 7.0.0-pre4
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=176066#action_176066 ]
Emmanuel Venisse commented on CONTINUUM-1974:
---------------------------------------------
In the patch, SecuredDataSourceAdapter class isn't used or do I miss something?
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1974) JDBC Password obfuscation support
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated CONTINUUM-1974:
------------------------------------
Fix Version/s: 1.3.3
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "jan ancajas (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=176067#action_176067 ]
jan ancajas commented on CONTINUUM-1974:
----------------------------------------
Hi, That class is used for the modified entry in jetty-env.xml (my first comment).
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1974) JDBC Password obfuscation support
Posted by "Wendy Smoak (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wendy Smoak updated CONTINUUM-1974:
-----------------------------------
Affects Version/s: (was: Future)
1.2.3
Fix Version/s: 1.3.x
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.x
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1974) JDBC Password obfuscation support
Posted by "Wendy Smoak (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wendy Smoak updated CONTINUUM-1974:
-----------------------------------
Patch Submitted: [Yes]
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.x
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=170503#action_170503 ]
Emmanuel Venisse commented on CONTINUUM-1974:
---------------------------------------------
It would be better to use jetty-util instead of the whole jetty artifact
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.x
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1974) JDBC Password obfuscation
support
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=176073#action_176073 ]
Maria Odea Ching commented on CONTINUUM-1974:
---------------------------------------------
Btw, we tried using this patch in a different project which has a more or less similar configuration as Continuum's jetty bundle and it worked fine.
Maybe the adapter should be contributed to Jetty instead of Continuum? Currently, Jetty's password obfuscation utility only works for mail passwords and not for database passwords so this would be really useful. Other projects can use the adapter without pulling in a dependency on Continuum..
> JDBC Password obfuscation support
> ---------------------------------
>
> Key: CONTINUUM-1974
> URL: http://jira.codehaus.org/browse/CONTINUUM-1974
> Project: Continuum
> Issue Type: New Feature
> Components: Web - Security
> Affects Versions: 1.2.3
> Reporter: jan ancajas
> Fix For: 1.3.3
>
> Attachments: CONTINUUM-1974-continuum-commons.patch
>
>
> We are using jetty's JNDI lookup for initializing the dataSource, it would be good if we can secure the password parameter. As a start, we can use the obfuscation mechanism already provided by jetty.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira