Eliminating Cleartext Passwords

[Sam Sanjabi <ss...@platform.com>]

Hello:

 

I've got a REST web service running on an internal network written using
JAX-RS and CXF 2.2.7, and I've used the basic_https example in
samples/jax_rs to encrypt the communications between client and server.
A bit about our setup:

 

1)      I'm using a simple self-signed certificate generated with
keytool as this is more than adequate for our needs

2)      I've disabled client authentication as this is also adequate for
what I'm trying to do.

 

The issue I'm trying to resolve is the following: currently the XML
configuration file from the server requires sec:keyManagers and
sec:keyStore entries which specify the keyPassword and keystore
password.

I'd very much like to not have these passwords appearing in plain text
in the configuration file, but I'd also rather not have to prompt the
user for the password every time the server is restarted.  Is it safe to
delete the file after the server has started up (assuming I generate a
new certificate every time I restart the server)?  I tried this using
the sample server and it seemed to work fine: i.e. the server kept
running and serving requests even though the config file and the JKS
cert were moved after startup, I just want to make sure that wasn't a
fluke.  

Thanks,
-S

 

RE: Eliminating Cleartext Passwords

[Sam Sanjabi <ss...@platform.com>]

Interesting ... okay and to follow up: do you have any idea how I'd go
about programmatically giving the server instance the required
credentials before starting the server?  I'm currently starting up the
REST service through a JAXRSServerFactoryBean with a code sequence
something like this:

JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(MyService.class);
sf.setResourceProvider(MyService.class, new
SingletonResourceProvider(this));
    
sf.setAddress("https://0.0.0.0:" + MyConfigClass.getPort() + "/");
sf.create();

But I can't see any way to give CXF the username/password until *after*
I call sf.create() to get a Server instance, but by that point the
info's already been read into memory.


-----Original Message-----
From: Sergey Beryozkin [mailto:sberyozkin@gmail.com] 
Sent: Wednesday, March 23, 2011 5:08 PM
To: users@cxf.apache.org
Subject: Re: Eliminating Cleartext Passwords

Hi

> The issue I'm trying to resolve is the following: currently the XML
> configuration file from the server requires sec:keyManagers and
> sec:keyStore entries which specify the keyPassword and keystore
> password.
>
> I'd very much like to not have these passwords appearing in plain text
> in the configuration file, but I'd also rather not have to prompt the
> user for the password every time the server is restarted.  Is it safe
to
> delete the file after the server has started up (assuming I generate a
> new certificate every time I restart the server)?  I tried this using
> the sample server and it seemed to work fine: i.e. the server kept
> running and serving requests even though the config file and the JKS
> cert were moved after startup, I just want to make sure that wasn't a
> fluke.
>
>
I think the needed information is loaded in memory, so removing the
config
after the restart does not affect the current instance.

Spring property place holders should help with hiding the sensitive
info, I
tried the "spring property placeholder clear text passwords" combination
and
quite a few interesting links were found,

Cheers, Sergey


> Thanks,
> -S
>
>
>
>

Re: Eliminating Cleartext Passwords

[Sergey Beryozkin <sb...@gmail.com>]

Hi

> The issue I'm trying to resolve is the following: currently the XML
> configuration file from the server requires sec:keyManagers and
> sec:keyStore entries which specify the keyPassword and keystore
> password.
>
> I'd very much like to not have these passwords appearing in plain text
> in the configuration file, but I'd also rather not have to prompt the
> user for the password every time the server is restarted.  Is it safe to
> delete the file after the server has started up (assuming I generate a
> new certificate every time I restart the server)?  I tried this using
> the sample server and it seemed to work fine: i.e. the server kept
> running and serving requests even though the config file and the JKS
> cert were moved after startup, I just want to make sure that wasn't a
> fluke.
>
>
I think the needed information is loaded in memory, so removing the config
after the restart does not affect the current instance.

Spring property place holders should help with hiding the sensitive info, I
tried the "spring property placeholder clear text passwords" combination and
quite a few interesting links were found,

Cheers, Sergey


> Thanks,
> -S
>
>
>
>