users@glassfish.java.net

Re: password for encryption ? where ?

From: Felipe Gaúcho <fgaucho_at_gmail.com>
Date: Tue, 24 Feb 2009 09:35:04 +0100

humm.. good idea..

The "secret key" is used to hash the message sent to the users,
basically I can use any key with length higher then 24 characters (or
other if I change the algorithm...)....

so, we should adopt anything that obey the following constraints:

1) it is portable (I must be able to deploy the login-app.ear in any
JavaEE 5 container)
2) it is configurable...

your suggestion is cool, just give me a step by step on how to do
that, or even better: checkout the code and go ahead.. notifying us
about how to proceed later to config the login app. .

like: how to retrieve the key from that config file ?

* the life-time of the registration use-case is short.. I expect a new
customer to confirm his registration in a period of minutes or hours..
we can accept failure in case of secret key changing or even to
implement an optimistic-lock during the changings..



On Tue, Feb 24, 2009 at 8:14 AM, Kumar Jayanti <Vbkumar.Jayanti_at_sun.com> wrote:
> Felipe Gaúcho wrote:
>>
>> I have this encryption algorithm to scramble URLs I send by email for
>> registration confirmation.... it works fine, but today the key used in
>> the encryption is hard coded in the bean ...
>>
>> so, options:
>>
>> 1) to move the password to a properties file :(
>> 2) to move the password to the "application context", what means
>> Glassfish somewhere
>>
>> what is the best place to store the secret key ?
>>
>> * if I can use Glassfish to hold this info in administrative level, it
>> would be the best solution for me..
>>
>>
>>
>
> Glassfish has a file called domain-passwords under your domain config. This
> file is a JCEKS store and is protected by the GF masterpassword. You can
> store passwords either in it or in a similar store and access them using the
> java Keystore API .
>
>
> rgds.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>



-- 
Please help to test this application:
http://fgaucho.dyndns.org:8080/cejug-classifieds-richfaces