openjpa-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Sutter <kwsut...@gmail.com>
Subject Re: How to encrypt DB password in persistence.xml
Date Fri, 15 May 2009 19:10:26 GMT
Thanks for the insights, Donald.  And, thanks for posting this info to the
JIRA Issue (openjpa-1089) as well.

Kevin

On Fri, May 15, 2009 at 10:25 AM, Donald Woods <dwoods@apache.org> wrote:

> We have a similar feature in Apache Geronimo for our config.xml and
> deployment plans.  The only downside of adding this to OpenJPA, is we would
> then have to follow the ASF Cryptography release guidelines at -
>   http://www.apache.org/dev/crypto.html
> since we would be using encryption/decryption (even if provided by the
> JVM).  Not a biggie, but adds a few steps to the release process...
>
>
> -Donald
>
>
>
> Kevin Sutter wrote:
>
>> Hi Yu Wang,
>> Or, you could develop an answer for OpenJPA and contribute it back to the
>> project...  :-)  Providing an encryption capability for persistence.xml
>> password values would be a nice feature.  But, this would probably only
>> apply to our openjpa.* properties...
>>
>> In your particular case where you are passing in all of the parameters to
>> dbcp, I don't see how OpenJPA could help in this case.  The URL is just
>> passed through to dbcp, so any decryption of a password field would need
>> to
>> be provided by dbcp.
>>
>> I did a quick search on this topic and found a few hits related to
>> encrypting passwords used for dbcp.  One link [1] indicated that using
>> Tomcat 6.0 makes this a bit easier, but there were other instructions on
>> extending the BasicDataSource.  This link was specific to Tomcat's
>> server.xml, but the idea could probably be extended to the
>> persistence.xml.
>>
>> Let us know what you come up with.
>>
>> Thanks,
>> Kevin
>>
>> [1]
>>
>> http://stackoverflow.com/questions/129160/how-to-avoid-storing-passwords-in-the-clear-for-tomcats-server-xml-resource-defi
>>
>>
>>
>> On Fri, May 15, 2009 at 2:33 AM, wang yu <wangyumi@gmail.com> wrote:
>>
>>  Hi Kevin,
>>> Thank you. You had real good solutions but unfortunately neither of
>>> them is feasible for our project.
>>> We use Apache dbcp datasource to leverage DB connection pool and
>>> tomcat 5.5 as app server.
>>> Following is a fragment of our persistence.xml:
>>>                       <property name="openjpa.ConnectionDriverName"
>>> value="org.apache.commons.dbcp.BasicDataSource" />
>>>
>>>                       <property name="openjpa.ConnectionProperties"
>>>
>>>  value="driverClassName=org.apache.derby.jdbc.ClientDriver,
>>> url=jdbc:derby://localhost:1527/TSAM;create=true, username=app,
>>> password=app, maxActive=30, maxWait=10000,
>>> poolPreparedStatements=true" />
>>>
>>> How to encrypt password under  this situation? Or should I adopt
>>> alternative connection pool implementation to make password encryption
>>> easier?
>>>
>>> if no better solution, I guess I only have two choices
>>> 1. Give up apache dbcp.
>>> 2. Modify source code of apache dbcp.
>>>
>>> Regards,
>>> Yu Wang
>>>
>>>
>>>
>>>
>>> On Thu, May 14, 2009 at 10:54 PM, Kevin Sutter <kwsutter@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>> JPA does not define this functionality.  You could pass in the password
>>>>
>>> via
>>>
>>>> the application instead of hard-coding it in a persistence.xml.  Or, if
>>>>
>>> you
>>>
>>>> are in an app server environment, you should use a jndi lookup of a
>>>> datasource.  This would be the most secure.
>>>>
>>>> Kevin
>>>>
>>>> On Tue, May 12, 2009 at 4:31 AM, wang yu <wangyumi@gmail.com> wrote:
>>>>
>>>>  As title.
>>>>>
>>>>> Regards,
>>>>> Yu Wang
>>>>>
>>>>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message