Wildfly 25.0.1 Masked JDBC Passwords

912 views
Skip to first unread message

D E

unread,
Nov 15, 2021, 10:48:16 AM11/15/21
to WildFly
We have been using the following on Wildfly 24:

$ java -cp ... org.picketbox.datasource.security.SecureIdentityLoginModule "password"

And then we put the result in a .cli script as @PASSWORD@ below:

### begin cli ###

/subsystem=security/security-domain=OracleDS/authentication=classic:add( \
  login-modules=[ \
    { \
      "code"=>"org.picketbox.datasource.security.SecureIdentityLoginModule", \
      "flag"=>"required", \
      "module-options"=>[ \
        ("username"=>"@USERNAME@"), \
        ("password"=>"@PASSWORD@") \
      ] \
    } \
  ] \
)

/subsystem=datasources/jdbc-driver=oracle:add( \
  driver-module-name=com.oracle.jdbc, \
  driver-name=oracle \
)

data-source add \
  --name=OracleDS \
  --jndi-name=java:jboss/datasources/OracleDS \
  --driver-name=oracle \
  --connection-url=@CONN_URL@ \
  --url-delimiter=| \
  --security-domain=OracleDS \
  --exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter \
  --stale-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker \
  --valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker \
  --max-pool-size=256 \
  --min-pool-size=24 \
  --blocking-timeout-wait-millis=5000 \
  --idle-timeout-minutes=5 \
  --query-timeout=20 \
  --enabled=true

### end cli ###

In Wildfly 25 this seems to have been removed, but I am seeing notes about masked passwords via elytron.  Is there a way to use these in this way (similar to the old "classic" / SecureIdentityLoginModule mechanism?  Or do we need to migrate completely to the credential-store approach?

Is there someone who can point me to docs for converting the "datasource add" portion of the above cli so that we don't go back to using clear text passwords there?

Greg Jewell

unread,
Nov 16, 2021, 8:00:54 AM11/16/21
to WildFly
Support for Picketbox and Picketlink were removed from Wildfly 25 due to incompatibilities between those components and Java SE 17.  Packages were removed from Java that both Picketbox and Picketlink relied on, and since WF 25 supports Java SE 17, they could never work.


With regards to using elytron to encrypt passwords, documentation can be found here:

Reply all
Reply to author
Forward
0 new messages