Wildfly: Encrypt password and username for database

Question

I would like to hand over a webapplication to some people but these people should not allowed to has access to the database with some tools. Using the webapplicaton and in the background the database is ok.

Wildfly has a config with these code:

<xa-datasource jndi-name="java:jboss/datasources/ExampleXADS" pool-name="ExampleXADS">
       <driver>h2</driver>
       <xa-datasource-property name="URL">jdbc:h2:mem:test</xa-datasource-property>
       <xa-pool>
            <min-pool-size>10</min-pool-size>
            <max-pool-size>20</max-pool-size>
            <prefill>true</prefill>
       </xa-pool>
       <security>
            <user-name>sa</user-name>
            <password>sa</password>
       </security>
    </xa-datasource>

As you can see, there is also the username and password available. How is it possible to exclude / encrypt these, so only the administrator know the password for the database. The same also for the whole application server - there are also users and password. How can I do this?

EDIT: The "customer" will get the whole application inclusive the webserver configuration. (Wilfly and .war - file) It´s only for saving the software key in the database. The first time if the "customer" start the web application, he will be prompted so enter the licence key. After entering the license key a Webservice will be called. The return code is "false" or "true" (is key valid or is key not valid) My first idea was to store the flag in the database. But if a user has access to the database, he can manipulate this flag on his own. Is there any other possibility to set a flag for "the software key is valid" instead saving the flag in the database. Any ideas?

Answer 1

You can use security domain to get over this, there could be some specific changes for Wildfly but for JBoss 7.1.1 here is what you need to do.

1. Find the location of jboss-logging-3.1.0.GA.jar in your JBoss/Widlfy server. In case of JBoss 7.1.1 it should be something like - modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar

2. Find the location of picketbox-4.0.7.Final.jar

3. Check if the picketbox jar has org.picketbox.datasource.security.SecureIdentityLoginModule class.

4. Run the following command from JBoss server root folder to encrypt your datasource connection password

   java -cp modules\org\jboss\logging\main\jboss-logging-3.1.0.GA.jar;modules\org\picketbox\main\picketbox-4.0.7.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModule PasswordXYZ

5. Get the output text and in the standalone.xml add following security domain under elements:

               <security-domain name="encrypted-ds-WASM2" cache-type="default">
                   <authentication>
                       <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
                           <module-option name="username" value="WASM2"/>
                           <module-option name="password" value="89471a19022f8af"/>
                           <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=MySqlDS_Pool"/>
                       </login-module>
                   </authentication>
               </security-domain>
   

6. Use this security domain in the datasource element as follows:

               <datasource jta="false" jndi-name="java:jboss/jdbc/JNDIDS" pool-name="OFS1" enabled="true" use-ccm="false">
                   <connection-url>jdbc:oracle:thin:@x.x.x.x:1521:xxxx</connection-url>
                   <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
                   <driver>oracle</driver>
                   <security>
                       <security-domain>encrypted-ds-WASM2</security-domain>
                   </security>
                   <validation>
                       <validate-on-match>false</validate-on-match>
                       <background-validation>false</background-validation>
                       <background-validation-millis>1</background-validation-millis>
                   </validation>
                   <statement>
                       <prepared-statement-cache-size>0</prepared-statement-cache-size>
                       <share-prepared-statements>false</share-prepared-statements>
                   </statement>
               </datasource>
   

Reference Link: http://middlewaremagic.com/jboss/?p=1026

Answer 2

It is not possible. If the web application has to be able to decrypt the password to use the database, anyone on the server can do the same.

If you want to restrict access, keep the server under your control and let them access it only through a web front end.

(And even if it was possible to usefully encrypt, if they have server access they can trivially copy the database files onto their workstations, or add new user accounts to the database server).