Jboss Password Encryption/Decryption using org.picketbox.datasource.security.SecureIdentityLoginModule

we can to encrypt/decrypt a password encrypted with SecureIdentityLoginModule.

Please see the attached below decrypt_password.zip. Within the zip file there is SecureIdentityLoginCoder.jar, which can be used to encrypt/decrypt passwords.Download the file to encrypt and decrypt the passwrods

Usage:  java -jar SecureIdentityLoginCoder.jar -e|-d string
  -e will encode the string
  -d will decode the string

For Future JBoss EAP versions
There is a feature request for the upstream project to include automatic encryption of passwords. This is planned to be implemented in the coming EAP 7.4.0.GA release, where it will be possible to enable automatic encryption of passwords stored in configuration. But, it would require moving to the new Elytron security subsystem and usage of the CredentialStore.

Let’s see how to encrypt a password and decrypt it back .

Encrtypt welcome123 using the downloaded jar

Decrypt the above encrypted password using the same jar file

By Default SecureIdentityLoginModule is available in JBOSS .you can also try below

java -cp $JBOSS_HOME/modules/org/picketbox/main/picketbox-x.x.x.jar:$JBOSS_HOME/modules/org/jboss/logging/main/jboss-logging-3.1.0.xxxxx.jar:$CLASSPATH org.picketbox.datasource.security.SecureIdentityLoginModule password

 We can use the SecureIdentityLoginModule to add an encrypted password domain. For instance, you can define a security domain in standalone.xml or domain.xml:

<security-domain name=”MY-DS” cache-type=”default”>
<login-module code=”org.picketbox.datasource.security.SecureIdentityLoginModule” flag=”required”>
<module-option name=”username” value=”admin”/>
<module-option name=”password” value=”3a71283f17004158ef73c8640d55708a”/>


 <security-domain name="MY-DS" cache-type="default">
                        <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                            <module-option name="username" value="admin"/>
                            <module-option name="password" value="3a71283f17004158ef73c8640d55708a"/>

Now we can add this security domain in your particular data source that uses this userid/pwd combination in standalone.xml or domain.xml:

  <datasource ... >

Now you can also use this to encrypt the other passwords available in standalone.xml or domain.xml like JKS password ,Truststore password or any other passwords that required in the file for JBOSS.

Have a try .Good Luck!!!

You may also check below

Thank you for visiting the site!!! Click on the below interested Ads to support us.Happy Learning … ?


The following information will help you to create a custom Login Module example that extends the UsernamePasswordLoginModule and obtains a user’s password and role names from a JNDI lookup.At the end of this section you will have created a custom JNDI context login module that will return a user’s password if you perform a lookup on the context using a name of the form password/<username> (where <username> is the current user being authenticated). Similarly, a lookup of the form roles/<username> returns the requested user’s roles. “JndiUserAndPassLoginModule Custom Login Module” is the source code for the JndiUserAndPassLoginModule custom login module.Note that because this extends the JBoss UsernamePasswordLoginModule, the JndiUserAndPassLoginModule obtains the user’s password and roles from the JNDI store. The JndiUserAndPassLoginModule does not interact with the JAAS LoginModule operations.

Example 16.22. JndiUserAndPassLoginModule Custom Login Module

package org.jboss.book.security.ex2;
import java.security.acl.Group;
import java.util.Map;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
 * An example custom login module that obtains passwords and roles for a user from a JNDI lookup.
 * @author Scott.Stark@jboss.org
public class JndiUserAndPassLoginModule extends UsernamePasswordLoginModule {
  /** The JNDI name to the context that handles the password/username lookup */
  private String userPathPrefix;
  /** The JNDI name to the context that handles the roles/username lookup */
  private String rolesPathPrefix;
  private static Logger log = Logger.getLogger(JndiUserAndPassLoginModule.class);
   * Override to obtain the userPathPrefix and rolesPathPrefix options.
  public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
    super.initialize(subject, callbackHandler, sharedState, options);
    userPathPrefix = (String) options.get("userPathPrefix");
    rolesPathPrefix = (String) options.get("rolesPathPrefix");
   * Get the roles the current user belongs to by querying the rolesPathPrefix + '/' + super.getUsername() JNDI location.
  protected Group[] getRoleSets() throws LoginException {
    try {
      InitialContext ctx = new InitialContext();
      String rolesPath = rolesPathPrefix + '/' + super.getUsername();
      String[] roles = (String[]) ctx.lookup(rolesPath);
      Group[] groups = { new SimpleGroup("Roles") };
      log.info("Getting roles for user=" + super.getUsername());
      for (int r = 0; r < roles.length; r++) {
        SimplePrincipal role = new SimplePrincipal(roles[r]);
        log.info("Found role=" + roles[r]);
      return groups;
    } catch (NamingException e) {
      log.error("Failed to obtain groups for user=" + super.getUsername(), e);
      throw new LoginException(e.toString(true));
   * Get the password of the current user by querying the userPathPrefix + '/' + super.getUsername() JNDI location.
  protected String getUsersPassword() throws LoginException {
    try {
      InitialContext ctx = new InitialContext();
      String userPath = userPathPrefix + '/' + super.getUsername();
      log.info("Getting password for user=" + super.getUsername());
      String passwd = (String) ctx.lookup(userPath);
      log.info("Found password=" + passwd);
      return passwd;
    } catch (NamingException e) {
      log.error("Failed to obtain password for user=" + super.getUsername(), e);
      throw new LoginException(e.toString(true));

Example 16.23. Definition of security-ex2 security domain with the newly-created custom login module


The choice of using the JndiUserAndPassLoginModule custom login module for the server side authentication of the user is determined by the login configuration for the example security domain. The EJB JAR META-INF/jboss-ejb3.xml descriptor sets the security domain. For a web application it is part of the WEB-INF/jboss-web.xml file.

Example 16.24. jboss-ejb3.xml Example

<?xml version="1.0"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:s="urn:security" version="3.1" impl-version="2.0">

Example 16.25. jboss-web.xml example

<?xml version="1.0"?>

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *