Email
Print

Hi,

Securing our Application Server resources is one of the most important administrative task. JBoss AS7 uses picketbox security implementations. In this example we will see how we can provide an Encrypted Password for our DataSources rather than using the ClearText Password. The picketbox provides us a class for encrypting the Cleartext passwords using class “org.picketbox.datasource.security.SecureIdentityLoginModule”

BUT in earlier versions on JBoss the Class was available as part of a different package “org.jboss.resource.security.SecureIdentityLoginModule” … So while using JBoss AS7 we must always make sure that we are using the right SecureIdentityLoginModule class as “org.picketbox.datasource.security.SecureIdentityLoginModule”

In this demonstration we will be using JBoss AS7 ( jboss-as-7.1.0.Beta1 ) which can be downloaded from the following link:
http://www.jboss.org/jbossas/downloads

Step1). Create a DataSource as following:

        <subsystem xmlns="urn:jboss:domain:datasources:1.0">
            <datasources>
                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="H2DS" enabled="true">
                    <connection-url>
                        jdbc:h2:mem:test;DB_CLOSE_DELAY=-1
                    </connection-url>
                    <driver>
                        h2
                    </driver>
                    <security>
                        <user-name>sa</user-name>
                        <password>sa</password>
                    </security>
                </datasource>
                
                <!-- ************************************************* -->
                <!-- We Added the below DataSource configuration Here -->
                <datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS_Pool" enabled="true" jta="false" use-ccm="false">
                    <connection-url>
                        jdbc:mysql://localhost:3306/testDB
                    </connection-url>
                    <driver-class>
                        com.mysql.jdbc.Driver
                    </driver-class>
                    <driver>
                        mysql-connector-java-5.1.13-bin.jar
                    </driver>
                    <security>
                        <security-domain>
                            encrypted-ds
                        </security-domain>
                    </security>
                </datasource>
                <!-- ************************************************* -->

                <drivers>
                    <driver name="h2" module="com.h2database.h2">
                        <xa-datasource-class>
                            org.h2.jdbcx.JdbcDataSource
                        </xa-datasource-class>
                    </driver>
                </drivers>
            </datasources>
        </subsystem>

NOTE:
In above case as we are using “mysql-connector-java-5.1.13-bin.jar” JDBC Driver which is a JDBC 4 compliant Driver so we just placed this Jar file inside the “jboss-as-7.1.0.Beta1/standalone/deployments” directory before creating the DataSource.

NOTE:
In the above DataSource configuration you will notice that inside the security tags we have NOT provided the Username and password rather we are providing the security-domain name (encrypted-ds) which we are going to configure in our next steps.

NOTE:
For more information on installing JDBC Driver and creating DataSources you can refer to the following article: http://middlewaremagic.com/jboss/?p=872

NOTE:
The simplest thing what you can do is just create a DataSource through JBoss Console as mentioned in the above link and then edit the following section of your DataSource to use security-domain rather than user-name and password attributes.

    <security>
         <user-name>dbUserOne</user-name>
         <password>PasswordXYZ</password>
    </security>

Step2). Open a Shell Prompt and then set the CLASSPATH to point to the following JAR’s “picketbox-4.0.6.Beta1.jar” and “jboss-logging-3.1.0.CR2.jar” because these Jars are required to encrypt the clear text password.

[userone@localhost ~]$      export JBOSS_HOME=/home/userone/jboss-as-7.1.0.Beta1
.
[userone@localhost ~]$      export CLASSPATH=${JBOSS_HOME}/modules/org/picketbox/main/picketbox-4.0.6.Beta1.jar:${JBOSS_HOME}/modules/org/jboss/logging/main/jboss-logging-3.1.0.CR2.jar:$CLASSPATH

[userone@localhost ~]$      java  org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ
Encoded password: -5bbc51443039e029747687c1d9ec6a8d
.

NOTE: In above demo suppose our Database Poassword is “PasswordXYZ” so after running the above command we got the encrypted password as “-5bbc51443039e029747687c1d9ec6a8d”

Step3). Now We need to create a “security-domain” inside out “${JBOSS_HOME}/standalone/configuration/standalone-full.xml” file as following, By providing the above Encrypted Password:

                <security-domain name="encrypted-ds" cache-type="default">
                    <authentication>
                        <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                            <module-option name="username" value="dbUserOne"/>
                            <module-option name="password" value="-5bbc51443039e029747687c1d9ec6a8d"/>
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
                        </login-module>
                    </authentication>
                </security-domain>

Step4). That’s all now just restart your JBoss profile like following:

.
./standalone.sh -c standalone-full.xml 
.

Testing JBossAS7 DataSource connections using CLI

Step5). Following are the JBoss CLI command which you can use to test your DataSource is working fine or not.
In Standalone mode:

[standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
{
    "outcome" => "success",
    "result" => [true]
}

In Domain mode:

[domain@localhost:9999 /] /host=master/server=server-one/subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
{
    "outcome" => "success",
    "result" => [true]
}

What if you enter a Wrong Encrypted password in your JBoss Configuration?

Then you will see following kind of exception in your .JBoss Console:

03:19:12,578 INFO  [org.jboss.as.osgi] (MSC service thread 1-4) JBAS011907: Register module: Module "deployment.mysql-connector-java-5.1.13-bin.jar:main" from Service Module Loader
03:19:12,641 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
	at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
	at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1047) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1042) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
	at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1041) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:581) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282) [ironjacamar-deployers-common-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:283) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:116) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]

AND

ERROR [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (management-handler-thread - 3) IJ000614: Exception during createSubject() PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
	at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.9.Final.jar:4.0.9.Final]
	at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:121) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject$1.run(PoolBySubject.java:116) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
	at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.createSubject(PoolBySubject.java:115) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject.testConnection(PoolBySubject.java:85) [ironjacamar-core-impl-1.0.11.Final.jar:1.0.11.Final]
	at org.jboss.as.connector.subsystems.common.pool.PoolOperations$TestConnectionInPool.invokeCommandOn(PoolOperations.java:121) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.connector.subsystems.common.pool.PoolOperations$1.execute(PoolOperations.java:60) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.connector.subsystems.common.pool.PoolOperations.execute(PoolOperations.java:74) [jboss-as-connector-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.ModelControllerImpl$DefaultPrepareStepHandler.execute(ModelControllerImpl.java:473) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:397) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:284) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.AbstractOperationContext.completeStep(AbstractOperationContext.java:211) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:126) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:111) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:139) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:108) [jboss-as-controller-7.1.2.Final.jar:7.1.2.Final]
	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$2$1.doExecute(AbstractMessageHandler.java:295)
	at org.jboss.as.protocol.mgmt.AbstractMessageHandler$AsyncTaskRunner.run(AbstractMessageHandler.java:512)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_05]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_05]
	at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.0.0.GA.jar:2.0.0.GA]

And your CLI comman to test DataSource connections will fail like following:

[standalone@localhost:9999 /] /subsystem=datasources/data-source=MySqlDS_Pool:test-connection-in-pool
{
    "outcome" => "failed",
    "failure-description" => "JBAS010440: failed to invoke operation: JBAS010447: Connection is not valid",
    "rolled-back" => true
}

.
.
Thanks
MiddlewareMagic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.