Beware of JBoss’ “SecureIdentityLoginModule”
From JBoss' Community Wiki EncryptingDataSourcePasswords page:
The
org.jboss.resource.security.SecureIdentityLoginModulefromjboss-jca.jarcan be used to encrypt database passwords rather than using clear text passwords in the DataSource configuration. [...]
Which in principle, is a great thing. The problem being that usually database credentials end up being placed in the web application configuration file in clear text. However:
[...] It uses a hard-coded password to encrypt/decrypt the DataSource password.
Bottom line, anyone using the SecureIdentityLoginModule to encrypt their password in the configuration file is doing it with a Blowfish algorithm and well known key. So if during an engagement you find a configuration snippet similar to the one below:
<policy> [...] <!-- Example usage of the SecureIdentityLoginModule --> <application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">sa</module-option> <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option> <module-option name="managedConnectionFactoryName">[...]</module-option> </login-module> </authentication> </application-policy> [...] </policy>
You should be able to reverse the encryption and get the credentials in clear text. JBoss.java can help you with this, it is now available in usefulfor's repository at GitHub.
Popularity: 2% [?]