| // ======================================================================== |
| // Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd. |
| // ======================================================================== |
| // All rights reserved. This program and the accompanying materials |
| // are made available under the terms of the Eclipse Public License v1.0 |
| // and Apache License v2.0 which accompanies this distribution. |
| // |
| // The Eclipse Public License is available at |
| // http://www.eclipse.org/legal/epl-v10.html |
| // |
| // The Apache License v2.0 is available at |
| // http://www.opensource.org/licenses/apache2.0.php |
| // |
| // You may elect to redistribute this code under either of these licenses. |
| // ======================================================================== |
| |
| [[configuring-security-secure-passwords]] |
| === Secure Password Obfuscation |
| |
| There are many places where you might want to use and store a password, for example for the SSL connectors and user passwords in realms. |
| |
| Passwords can be stored in clear text, obfuscated, checksummed or encrypted in order of increasing security. |
| The choice of method to secure a password depends on where you are using the password. |
| In some cases such as keystore passwords and digest authentication, the system must retrieve the original password, which requires the obfuscation method. |
| The drawback of the obfuscation algorithm is that it protects passwords from casual viewing only. |
| |
| When the stored password is compared to one a user enters, the handling code can apply the same algorithm that secures the stored password to the user input and compare results, making password authentication more secure. |
| |
| The class `org.eclipse.jetty.util.security.Password` can be used to generate all varieties of passwords. |
| |
| Run it without arguments to see usage instructions: |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| |
| $ export JETTY_VERSION=9.0.0-SNAPSHOT |
| $ java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password |
| |
| Usage - java org.eclipse.jetty.util.security.Password [<user>] <password> |
| If the password is ?, the user will be prompted for the password |
| |
| .... |
| |
| For example, to generate a secured version of the password "blah" for the user "me": |
| |
| [source, screen, subs="{sub-order}"] |
| .... |
| |
| $ export JETTY_VERSION=9.0.0.RC0 |
| $ java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password me blah |
| blah |
| OBF:20771x1b206z |
| MD5:639bae9ac6b3e1a84cebb7b403297b79 |
| CRYPT:me/ks90E221EY |
| |
| .... |
| |
| You can now cut and paste whichever secure version you choose into your configuration file or Java code. |
| |
| For example, the last line below shows how you would implement the encrypted password generated above into the properties file for a `LoginService`: |
| |
| [source,bash] |
| ---- |
| |
| admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin |
| other: OBF:1xmk1w261u9r1w1c1xmq |
| guest: guest,read-only |
| me:CRYPT:me/ks90E221EY |
| |
| ---- |
| |
| ____ |
| [TIP] |
| Don't forget to also copy the OBF:, MD5: or CRYPT: prefix on the generated password. It will not be usable by Jetty without it. |
| ____ |
| |
| You can also use obfuscated passwords in jetty xml files where a plain text password is usually needed. |
| Here's an example setting the password for a JDBC Datasource with obfuscation: |
| |
| [source, xml, subs="{sub-order}"] |
| ---- |
| |
| <New id="DSTest" class="org.eclipse.jetty.plus.jndi.Resource"> |
| <Arg></Arg> |
| <Arg>jdbc/DSTest</Arg> |
| <Arg> |
| <New class="com.jolbox.bonecp.BoneCPDataSource"> |
| <Set name="driverClass">com.mysql.jdbc.Driver</Set> |
| <Set name="jdbcUrl">jdbc:mysql://localhost:3306/foo</Set> |
| <Set name="username">dbuser</Set> |
| <Set name="password"> |
| <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate"> |
| <Arg>OBF:1ri71v1r1v2n1ri71shq1ri71shs1ri71v1r1v2n1ri7</Arg> |
| </Call> |
| </Set> |
| <Set name="minConnectionsPerPartition">5</Set> |
| <Set name="maxConnectionsPerPartition">50</Set> |
| <Set name="acquireIncrement">5</Set> |
| <Set name="idleConnectionTestPeriod">30</Set> |
| </New> |
| </Arg> |
| </New> |
| |
| ---- |