JBoss下配置数据源加密

一、JBoss下配置数据源时，如果密码直接暴露给了系统的操作员或者维护人员，显然就增加了数据库不安全的因素。

MySQL Datasource配置样例 

<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->

<!-- See http://www.jboss.org/community/wiki/Multiple1PC for information about local-tx-datasource -->
<!-- $Id: mssql-ds.xml 97536 2009-12-08 14:05:07Z jesper.pedersen $ -->

  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->
  <!-- ===================================================================== -->

<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MyDatabase</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
    <user-name>admin</user-name>
    <password>password</password>

    <!-- sql to call when connection is created
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    -->

    <!-- sql to call on an existing pooled connection when it is obtained from pool
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
    -->

    <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
    <metadata>
        <type-mapping>MS SQLSERVER2000</type-mapping>
    </metadata>
  </local-tx-datasource>

</datasources>

不用担心，JBoss本身提供了对密码进行加密的工具org.jboss.resource.security.SecureIdentityLoginModule

可以在Windows下用如下命令拿到密码的加密字串： 

D:\JBoss\jboss-6.1.0.Final>java -cp client\jboss-logging.jar;lib\jbosssx.jar org.jboss.resource.security.SecureIdentityLoginModule password

Encoded password: 5dfc52b51bd35553df8592078de921bc

二、拿到加密的密码后就可以进行加密的数据源配置了
1. 配置 MySQL Datasource 

<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!--                                                                       -->
<!--  JBoss Server Configuration                                           -->
<!--                                                                       -->
<!-- ===================================================================== -->

<!-- See http://www.jboss.org/community/wiki/Multiple1PC for information about local-tx-datasource -->
<!-- $Id: mssql-ds.xml 97536 2009-12-08 14:05:07Z jesper.pedersen $ -->

  <!-- ======================================================================-->
  <!-- New ConnectionManager setup for Microsoft SQL Server 2005  driver     -->
  <!-- Further information about the Microsoft JDBC Driver version 1.1      -->
  <!-- can be found here:                                                   -->
  <!-- http://msdn2.microsoft.com/en-us/library/aa496082.aspx               -->
  <!-- ===================================================================== -->

<datasources>
  <local-tx-datasource>
    <jndi-name>MSSQLDS</jndi-name>
    <connection-url>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=MyDatabase</connection-url>
    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>

    <!-- REPLACED WITH security-domain BELOW
    <user-name>admin</user-name>
    <password>password</password>
    -->
    <security-domain>EncryptDBPassword</security-domain>


    <!-- sql to call when connection is created
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    -->

    <!-- sql to call on an existing pooled connection when it is obtained from pool
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
    -->

    <!-- corresponding type-mapping in the standardjbosscmp-jdbc.xml (optional) -->
    <metadata>
       <type-mapping>MS SQLSERVER2000</type-mapping>
    </metadata>
  </local-tx-datasource>

</datasources>

2. 配置login-config.xml（一般放到 src\main\resources\META-INF 目录下） 

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<policy>
    <!-- Example usage of the SecureIdentityLoginModule -->
    <application-policy name="EncryptedMySQLDbRealm">
        <authentication>
            <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
                <module-option name="username">admin</module-option>
                <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option>
                <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=MSSQLDS</module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>

3. 配置jboss-service.xml（一般放到 src\main\resources\META-INF 目录下。我是通过EJB实现DynamicLoginConfig，希望各位提供更便捷的方案）

<?xml version="1.0" encoding="UTF-8"?>
<server>
    <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=Test.DynamicLoginConfig">
        <attribute name="AuthConfig">META-INF/login-config.xml</attribute>
        <!-- The service which supports dynamic processing of login-config.xml configurations. -->
        <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
        <!-- Optionally specify the security mgr service to use when this service
            is stopped to flush the auth caches of the domains registered by this service. -->
        <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
    </mbean>
</server>

三、最后给大家介绍一种解密JBoss加密工具加密的密码
1. 找到SecureIdentityLoginModule所在的包 D:\JBoss\jboss-6.1.0.Final\lib\jbosssx.jar
找到SecureIdentityLoginModule.class，反编译一下就全明白了
加密使用的是： private static String encode(String secret)
自然解密的到是：private static char[] decode(String secret)

注：推荐反编译工具 JDGUI

2. 在Eclipse下新建包 org.jboss.resource.security，新建SecureIdentityLoginModule.java 和PasswordDecoder.java

SecureIdentityLoginModule.java（这个类只是为了能让 PasswordDecoder 编译通过，没有实际意义）

package org.jboss.resource.security;

public class SecureIdentityLoginModule {
    private static String encode(String secret) {
        return secret;
    }

    private static char[] decode(String secret) {
        System.out.println("Input password: " + secret);
        return new char[] { '0', '1', '2', '3', '4', '5' };
    }
}

PasswordDecoder.java（利用反射调用SecureIdentityLoginModule 里 private static char[] decode(String secret) 方法）

package org.jboss.resource.security;

import java.lang.reflect.Method;

/**
 * Decode the encoded password.
 *
 * @author 酒樽舞曲
 *
 */
public class PasswordDecoder {
    public static void main(String args[]) throws Exception {
        Class<SecureIdentityLoginModule> cla = SecureIdentityLoginModule.class;
        Method m = cla.getDeclaredMethod("decode", String.class);
        m.setAccessible(true);

        Object obj = m.invoke(null, args[0]);
        char[] chars = (char[]) obj;

        System.out.println("Decoded password: " + new String(chars));
    }
}

3. 将编译好的 PasswordDecoder.class 放到 D:\JBoss\jboss-6.1.0.Final\lib\jbosssx.jar 中 \org\jboss\resource\security\ 下 （做坏事前先备份）

4. 解密
在Windows下用如下命令拿到密文的解密字串：

D:\JBoss\jboss-6.1.0.Final>java -cp client\jboss-logging.jar;lib\jbosssx.jar org.jboss.resource.security.PasswordDecoder 5dfc52b51bd35553df8592078de921bc

Decoded password: password