Geronimo
  1. Geronimo
  2. GERONIMO-3003

Encrypt password strings in deployment plans

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: Wish List
    • Fix Version/s: 2.1.5, 2.2.1, 3.0.0
    • Component/s: deployment
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      Geronimo currently has a feature where password strings in the config.xml get encrypted using the org.apache.geronimo.util.EncryptionManager. This encryption is performed in the org.apache.geronimo.system.configuration.GBeanOverride class.

      It would be desirable to have the same encryption applied to the password strings in deployment plans (e.g. datasource or JMS deployment plans within an EAR). Even though the plans are only used during the deployment process, and not at runtime, the plans are left with plaintext password strings sitting in them. It would be nice if the deployment process could internally encrypt the strings and then write back out the deployment plan to the file system. Also, this means that the deployment process will require the ability to decrypt strings that are already in encrypted format in the plan (in the case of redeployment, for example).

      More discussion of this feature can be found in the following mailing list thread:

      http://www.mail-archive.com/user@geronimo.apache.org/msg05859.html

      I would suggest that an appropriate spot to perform the encryption is in the org.apache.geronimo.j2ee.deployment.EARConfigBuilder class, perhaps in the following code just before the file is written to a temporary file:


      if (gerModule.isSetAltDd()) {
      // the the url of the alt dd
      try

      { altVendorDDs.put(path, DeploymentUtil.toTempFile(earFile, gerModule.getAltDd().getStringValue())); }

      catch (IOException e)

      { throw new DeploymentException("Invalid alt vendor dd url: " + gerModule.getAltDd().getStringValue(), e); }

      However, somebody more familiar with the design might be able to suggest a better solution.

      1. GERONIMO-3003.patch
        47 kB
        Jack Cai
      2. GERONIMO-3003_21.patch
        38 kB
        Jack Cai
      3. GERONIMO-3003-2.2-2.patch
        68 kB
        David Jencks
      4. GERONIMO-3003.cmd.21.patch
        12 kB
        Jack Cai
      5. GERONIMO-3003.cmd.22.patch
        12 kB
        Jack Cai
      6. GERONIMO-3003.gshell.cmd 30.patch
        2 kB
        Vanessa Wang

        Activity

          People

          • Assignee:
            Shawn Jiang
            Reporter:
            Aman Nanner
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development