JBoss6 Datasource 数据源密码加密解密机制

安全配置JBoss数据库源

最新推荐文章于 2022-06-07 14:59:54 发布

原创最新推荐文章于 2022-06-07 14:59:54 发布 · 252 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#jboss #Datasource #加密 #解密

软件程式-JAVA 专栏收录该内容

17 篇文章

订阅专栏

本文介绍了在JBoss环境下安全配置数据库源的方法，包括使用密码加密工具和配置login-config.xml来保护敏感信息，并提供了解密密码的步骤和相关代码。

一、 JBoss下配置数据源时，如果密码直接暴露给了系统的操作员或者维护人员，显然就增加了数据库不安全的因素。

MySQL Datasource配置样例

<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->

<!-- See http://www.jboss.org/community/wiki/Multiple1PC for information about local-tx-datasource -->
<!-- $Id: mssql-ds.xml 97536 2009-12-08 14:05:07Z jesper.pedersen $ -->

  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->  
  <!-- ===================================================================== -->

<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MyDatabase</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
    <user-name>admin</user-name>
    <password>password</password>
        
    <!-- sql to call when connection is created
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    -->

    <!-- sql to call on an existing pooled connection when it is obtained from pool 
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
    -->

    <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
    <metadata>
        <type-mapping>MS SQLSERVER2000</type-mapping>
    </metadata>
  </local-tx-datasource>

</datasources>

不用担心，JBoss本身提供了对密码进行加密的工具org.jboss.resource.security.SecureIdentityLoginModule

可以在Windows下用如下命令拿到密码的加密字串：

D:\JBoss\jboss-6.1.0.Final>java -cp client\jboss-logging.jar;lib\jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule password

Encoded password: 5dfc52b51bd35553df8592078de921bc

二、拿到加密的密码后就可以进行加密的数据源配置了
1. 配置 MySQL Datasource

<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->

<!-- See http://www.jboss.org/community/wiki/Multiple1PC for information about local-tx-datasource -->
<!-- $Id: mssql-ds.xml 97536 2009-12-08 14:05:07Z jesper.pedersen $ -->

  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->  
  <!-- ===================================================================== -->

<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MyDatabase</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
    
    <!-- REPLACED WITH security-domain BELOW
    <user-name>admin</user-name>
    <password>password</password>
    -->
    <security-domain>EncryptDBPassword</security-domain>
    
    
    <!-- sql to call when connection is created
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    -->

    <!-- sql to call on an existing pooled connection when it is obtained from pool 
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
    -->

    <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
    <metadata>
       <type-mapping>MS SQLSERVER2000</type-mapping>
    </metadata>
  </local-tx-datasource>

</datasources>

2. 配置login-config.xml（一般放到 src\main\resources\META-INF 目录下）

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
	<!-- Example usage of the SecureIdentityLoginModule -->
	<application-policy name="EncryptedMySQLDbRealm">
		<authentication>
			<login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
				<module-option name="username">admin</module-option>
				<module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
				<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
			</login-module>
		</authentication>
	</application-policy>
</policy>

3. 配置jboss-service.xml（一般放到 src\main\resources\META-INF 目录下。我是通过EJB实现DynamicLoginConfig，希望各位提供更便捷的方案）

<?xml version="1.0" encoding="UTF-8"?>
<server>
	<mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=Test.DynamicLoginConfig">
		<attribute name="AuthConfig">META-INF/login-config.xml</attribute>
		<!-- The service which supports dynamic processing of login-config.xml configurations. -->
		<depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
		<!-- Optionally specify the security mgr service to use when this service 
			is stopped to flush the auth caches of the domains registered by this service. -->
		<depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
	</mbean>
</server>

三、最后给大家介绍一种解密JBoss加密工具加密的密码
1. 找到SecureIdentityLoginModule所在的包 D:\JBoss\jboss-6.1.0.Final\lib\jbosssx.jar
找到SecureIdentityLoginModule.class，反编译一下就全明白了
加密使用的是： private static String encode(String secret)
自然解密的到是：private static char[] decode(String secret)

注：推荐反编译工具 JDGUI

2. 在Eclipse下新建包 org.jboss.resource.security ，新建SecureIdentityLoginModule.java 和PasswordDecoder.java

SecureIdentityLoginModule.java （这个类只是为了能让 PasswordDecoder 编译通过，没有实际意义）

package org.jboss.resource.security;

public class SecureIdentityLoginModule {
	private static String encode(String secret) {
		return secret;
	}

	private static char[] decode(String secret) {
		System.out.println("Input password: " + secret);
		return new char[] { '0', '1', '2', '3', '4', '5' };
	}
}

PasswordDecoder.java （利用反射调用SecureIdentityLoginModule 里 private static char[] decode(String secret) 方法）

package org.jboss.resource.security;

import java.lang.reflect.Method;

/**
 * Decode the encoded password.
 * 
 * @author 酒樽舞曲
 * 
 */
public class PasswordDecoder {
	public static void main(String args[]) throws Exception {
		Class<SecureIdentityLoginModule> cla = SecureIdentityLoginModule.class;
		Method m = cla.getDeclaredMethod("decode", String.class);
		m.setAccessible(true);

		Object obj = m.invoke(null, args[0]);
		char[] chars = (char[]) obj;

		System.out.println("Decoded password: " + new String(chars));
	}
}

3. 将编译好的 PasswordDecoder.class 放到 D:\JBoss\jboss-6.1.0.Final\lib\jbosssx.jar 中 \org\jboss\resource\security\ 下（做坏事前先备份）

4. 解密
在Windows下用如下命令拿到密文的解密字串：

D:\JBoss\jboss-6.1.0.Final>java -cp client\jboss-logging.jar;lib\jbosssx.jar org.jboss.resource.security.PasswordDecoder 5dfc52b51bd35553df8592078de921bc

Decoded password: password