Using LdapExtLoginModule with JaasSecurityDomain (securing passwords)

Category

Blog Development
3 December, 2014 0

In our previous post, we wrote about how to connect a JBoss to LDAP defining a LdapExtLoginModule. As suggested by Terry’s comment, the password in the xml is in plain text. In this post, we’ll explain how to secure this password.

This is easy to do as suggested in the JBoss docs; add the following xml to the file $JBOSS_HOME/server/$PROFILE/conf/jboss-service.xml, which will add a JaasSecurityDomain bean to the jmx-console, which will be available for encrypting passwords in Base64:

<mbean code=”org.jboss.security.plugins.JaasSecurityDomain”name=”jboss.security:service=JaasSecurityDomain,domain=jmx-console”><constructor><arg type=”java.lang.String” value=”jmx-console”></arg></constructor><attribute name=”KeyStorePass”>some_password</attribute><attribute name=”Salt”>abcdefgh</attribute><attribute name=”IterationCount”>66</attribute></mbean>

After this, start the JBoss server and navigate to the JMX Console (http://localhost:8080/jmx-console/ by default) and select the org.jboss.security.plugins.JaasSecurityDomain MBean.

On the org.jboss.security.plugins.JaasSecurityDomain page, look for the encode64(String password) method. Pass the plain text version of the password being used by the LdapExtLoginModule to this method and invoke it. The return value will be the encrypted version of the password encoded as Base64.

After this, open login-config.xml, edit the LdapExtLoginModule created previously, replacing the password with the encrypted one, and tell the module that the password is in encrypted form. The policy should look have the following lines (adding the jaasSecurityDomain option and editing the bindCredential):

<module-option name=”jaasSecurityDomain”>jboss.security:service=JaasSecurityDomain,domain=jmx-console</module-option><module-option name=”bindCredential”>6gf.s7eQiJi</module-option> <!– LDAP password: –>

Restart the server, and that’s it!

In this case, the keystore password is still as plain text in the jboss-service.xml file, but this password can be stored in a secure location, for example, using a keystore, as suggested in: 

https://community.jboss.org/wiki/JBossAS7SecuringPasswords

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *

bkadmin
Wednesday December 3, 2014 - 21:12 Blog, Development
Recent posts
From idea to deploy

When the great idea and background just isn’t enough […]

Read More…

Continue reading
11 August, 2020
Reclaim your disk space from Xcode

Do you have problems with the space on your disk? You are in the right place! This post is for […]

Read More…

Continue reading
25 June, 2020
RoR – Get your exceptions notified via Slack

Have you ever wanted to be one step ahead, and be notified of any unwanted exception before your users have […]

Read More…

Continue reading
18 October, 2018
Easy creation of a new Node + React project

Starting a new project is something everybody loves to do. However, some steps are always the same for every project. […]

Read More…

Continue reading
3 October, 2018