we can to encrypt/decrypt a password encrypted with SecureIdentityLoginModule.
Please see the attached below decrypt_password.zip. Within the zip file there is SecureIdentityLoginCoder.jar, which can be used to encrypt/decrypt passwords.Download the file to encrypt and decrypt the passwrods
Usage: java -jar SecureIdentityLoginCoder.jar -e|-d string
-e will encode the string
-d will decode the string
For Future JBoss EAP versions
There is a feature request for the upstream project to include automatic encryption of passwords. This is planned to be implemented in the coming EAP 7.4.0.GA release, where it will be possible to enable automatic encryption of passwords stored in configuration. But, it would require moving to the new Elytron security subsystem and usage of the CredentialStore.
Let’s see how to encrypt a password and decrypt it back .
Encrtypt welcome123 using the downloaded jar
Decrypt the above encrypted password using the same jar file
By Default SecureIdentityLoginModule is available in JBOSS .you can also try below
java -cp $JBOSS_HOME/modules/org/picketbox/main/picketbox-x.x.x.jar:$JBOSS_HOME/modules/org/jboss/logging/main/jboss-logging-3.1.0.xxxxx.jar:$CLASSPATH org.picketbox.datasource.security.SecureIdentityLoginModule password
We can use the SecureIdentityLoginModule to add an encrypted password domain. For instance, you can define a security domain in standalone.xml or domain.xml:
<security-domain name=”MY-DS” cache-type=”default”>
<authentication>
<login-module code=”org.picketbox.datasource.security.SecureIdentityLoginModule” flag=”required”>
<module-option name=”username” value=”admin”/>
<module-option name=”password” value=”3a71283f17004158ef73c8640d55708a”/>
</login-module>
</authentication>
</security-domain>
<security-domain name="MY-DS" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="admin"/>
<module-option name="password" value="3a71283f17004158ef73c8640d55708a"/>
</login-module>
</authentication>
</security-domain>
Now we can add this security domain in your particular data source that uses this userid/pwd combination in standalone.xml or domain.xml:
<datasource ... >
.....
<security>
<security-domain>MY-DS</security-domain>
</security>
</datasource>
Now you can also use this to encrypt the other passwords available in standalone.xml or domain.xml like JKS password ,Truststore password or any other passwords that required in the file for JBOSS.
Have a try .Good Luck!!!
You may also check below
CUSTOM LOGINMODULE EXAMPLE
The following information will help you to create a custom Login Module example that extends the UsernamePasswordLoginModule
and obtains a user’s password and role names from a JNDI lookup.At the end of this section you will have created a custom JNDI context login module that will return a user’s password if you perform a lookup on the context using a name of the form password/<username>
(where <username>
is the current user being authenticated). Similarly, a lookup of the form roles/<username>
returns the requested user’s roles. “JndiUserAndPassLoginModule Custom Login Module” is the source code for the JndiUserAndPassLoginModule
custom login module.Note that because this extends the JBoss UsernamePasswordLoginModule
, the JndiUserAndPassLoginModule
obtains the user’s password and roles from the JNDI store. The JndiUserAndPassLoginModule
does not interact with the JAAS LoginModule operations.
Example 16.22. JndiUserAndPassLoginModule Custom Login Module
package org.jboss.book.security.ex2; import java.security.acl.Group; import java.util.Map; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import org.jboss.logging.Logger; import org.jboss.security.SimpleGroup; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.spi.UsernamePasswordLoginModule; /** * An example custom login module that obtains passwords and roles for a user from a JNDI lookup. * * @author Scott.Stark@jboss.org */ public class JndiUserAndPassLoginModule extends UsernamePasswordLoginModule { /** The JNDI name to the context that handles the password/username lookup */ private String userPathPrefix; /** The JNDI name to the context that handles the roles/username lookup */ private String rolesPathPrefix; private static Logger log = Logger.getLogger(JndiUserAndPassLoginModule.class); /** * Override to obtain the userPathPrefix and rolesPathPrefix options. */ @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { super.initialize(subject, callbackHandler, sharedState, options); userPathPrefix = (String) options.get("userPathPrefix"); rolesPathPrefix = (String) options.get("rolesPathPrefix"); } /** * Get the roles the current user belongs to by querying the rolesPathPrefix + '/' + super.getUsername() JNDI location. */ @Override protected Group[] getRoleSets() throws LoginException { try { InitialContext ctx = new InitialContext(); String rolesPath = rolesPathPrefix + '/' + super.getUsername(); String[] roles = (String[]) ctx.lookup(rolesPath); Group[] groups = { new SimpleGroup("Roles") }; log.info("Getting roles for user=" + super.getUsername()); for (int r = 0; r < roles.length; r++) { SimplePrincipal role = new SimplePrincipal(roles[r]); log.info("Found role=" + roles[r]); groups[0].addMember(role); } return groups; } catch (NamingException e) { log.error("Failed to obtain groups for user=" + super.getUsername(), e); throw new LoginException(e.toString(true)); } } /** * Get the password of the current user by querying the userPathPrefix + '/' + super.getUsername() JNDI location. */ @Override protected String getUsersPassword() throws LoginException { try { InitialContext ctx = new InitialContext(); String userPath = userPathPrefix + '/' + super.getUsername(); log.info("Getting password for user=" + super.getUsername()); String passwd = (String) ctx.lookup(userPath); log.info("Found password=" + passwd); return passwd; } catch (NamingException e) { log.error("Failed to obtain password for user=" + super.getUsername(), e); throw new LoginException(e.toString(true)); } } }
Example 16.23. Definition of security-ex2 security domain with the newly-created custom login module
/subsystem=security/security-domain=security-ex2/:add /subsystem=security/security-domain=security-ex2/authentication=classic:add /subsystem=security/security-domain=security-ex2/authentication=classic/login-module=ex2/:add(\ flag=required,\ code=org.jboss.book.security.ex2.JndiUserAndPassLoginModule,\ module-options=[("userPathPrefix"=>"/security/store/password"),\ ("rolesPathPrefix"=>"/security/store/roles")]\ )
The choice of using the JndiUserAndPassLoginModule
custom login module for the server side authentication of the user is determined by the login configuration for the example security domain. The EJB JAR META-INF/jboss-ejb3.xml
descriptor sets the security domain. For a web application it is part of the WEB-INF/jboss-web.xml
file.
Example 16.24. jboss-ejb3.xml
Example
<?xml version="1.0"?> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:s="urn:security" version="3.1" impl-version="2.0"> <assembly-descriptor> <s:security> <ejb-name>*</ejb-name> <s:security-domain>security-ex2</s:security-domain> </s:security> </assembly-descriptor> </jboss:ejb-jar>
Example 16.25. jboss-web.xml example
<?xml version="1.0"?> <jboss-web> <security-domain>security-ex2</security-domain> </jboss-web>