Details
-
Patch
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
when you put -Djboss.sysprop.obfuscation=true in your run.conf JBOSS_OPTS, the SecurityIdentityLoginModule decode function is used to decode properties ending in _OBFUSCATED
i.e.
server/default/conf/test.properties
mypassword_OBFUSCATED=5dfc52b51bd35553df8592078de921bc
server/default/deploy/properties-service.xml
<mbean code="org.jboss.varia.property.SystemPropertiesService"
name="jboss:type=Service,name=SystemProperties">
<attribute name="URLList">
./conf/test.properties
</attribute>
</mbean>
then in your System.getProperties you have:
mypassword password
mypassword_OBFUSCATED 5dfc52b51bd35553df8592078de921bc
So you can then use those properties in your config files with ${mypassword}
you can use the same tool in: http://community.jboss.org/wiki/EncryptingDataSourcePasswords to obfuscate passwords in the property file...
This helps you pass dumb security audits that require you to do dumb things that have nothing to do with security but fake security through needless labor is an industry standard that we have to live with.