Permalink
Browse files

#3950 added encryption of jmx http ui password in config

  • Loading branch information...
1 parent 2dacc44 commit 4215b53a35f310f87411338ccde477386beb0ab5 @ddossot ddossot committed Nov 7, 2013
View
@@ -273,7 +273,7 @@
</exclusion>
</exclusions>
</dependency>
-
+
<!-- JavaX -->
<dependency>
<groupId>javax.servlet</groupId>
@@ -288,7 +288,7 @@
<artifactId>mx4j-tools</artifactId>
<version>3.0.1</version>
</dependency>
-
+
<!-- Redis -->
<dependency>
<groupId>redis.clients</groupId>
@@ -347,6 +347,11 @@
<artifactId>stringtemplate</artifactId>
<version>4.0.2</version>
</dependency>
+ <dependency>
+ <groupId>ca.juliusdavies</groupId>
+ <artifactId>not-yet-commons-ssl</artifactId>
+ <version>0.3.11</version>
+ </dependency>
<!-- Logging -->
<dependency>
@@ -21,11 +21,15 @@
package eu.openanalytics.rsb.security;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
import mx4j.tools.adaptor.http.HttpAdaptor;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.commons.ssl.OpenSSL;
import eu.openanalytics.rsb.config.Configuration;
import eu.openanalytics.rsb.config.Configuration.JmxConfiguration;
@@ -38,9 +42,14 @@
*/
public class SecurableMx4JHttpAdaptor extends HttpAdaptor
{
- private final Log LOGGER = LogFactory.getLog(SecurableMx4JHttpAdaptor.class);
+ private static final Log LOGGER = LogFactory.getLog(SecurableMx4JHttpAdaptor.class);
+
+ private static final String BASIC_AUTHENTICATION_METHOD = "basic";
+
+ private final String httpAuthenticationUsername, httpAuthenticationEncryptedPassword;
public SecurableMx4JHttpAdaptor(final Configuration configuration)
+ throws IOException, GeneralSecurityException
{
super();
@@ -50,13 +59,24 @@ public SecurableMx4JHttpAdaptor(final Configuration configuration)
{
if (StringUtils.isNotBlank(jmxConfiguration.getHttpAuthenticationUsername()))
{
- addAuthorization(jmxConfiguration.getHttpAuthenticationUsername(),
- jmxConfiguration.getHttpAuthenticationPassword());
+ httpAuthenticationUsername = jmxConfiguration.getHttpAuthenticationUsername();
+ httpAuthenticationEncryptedPassword = jmxConfiguration.getHttpAuthenticationPassword();
- setAuthenticationMethod("basic");
+ // decrypt the configured password using the username as the decryption password
+ final byte[] decryptedPasswordBytes = OpenSSL.decrypt("des3",
+ httpAuthenticationUsername.toCharArray(),
+ httpAuthenticationEncryptedPassword.getBytes("UTF-8"));
+
+ addAuthorization(httpAuthenticationUsername, new String(decryptedPasswordBytes, "UTF-8"));
+
+ setAuthenticationMethod(BASIC_AUTHENTICATION_METHOD);
LOGGER.info("Basic authentication active");
+ return;
}
}
+
+ httpAuthenticationUsername = null;
+ httpAuthenticationEncryptedPassword = null;
}
}
@@ -107,9 +107,15 @@
"registryPort": 1099,
"httpPort": 8889,
"httpAuthenticationUsername": "jmxui_username",
- "httpAuthenticationPassword": "jmxui_pass"
+ "httpAuthenticationPassword": "U2FsdGVkX1+nOXQF+qvSVHeDdDG+jUyJxPzm6NW4NkI="
}
</pre>
+ <p>The password is encrypted with DES3 using the username as the encryption password.
+ For example, with jmxui_username / jmxui_pass as the username / password pair, one can encrypt the password with:</p>
+ <pre>
+ $ echo -n "jmxui_pass" | openssl enc -a -e -salt -des3 -pass pass:jmxui_username
+ U2FsdGVkX1+nOXQF+qvSVHeDdDG+jUyJxPzm6NW4NkI=
+ </pre>
<p>It is recommended to enable SSL encryption for the JMX Web UI by using a frontal web-server, like Nginx.</p>
<p>Note that this security option is available even if RSB is not running in "Secure Mode" (as described above).</p>
</section>

0 comments on commit 4215b53

Please sign in to comment.