users@glassfish.java.net

Re: password for encryption ? where ?

From: Felipe Gaúcho <fgaucho_at_gmail.com>
Date: Tue, 24 Feb 2009 09:36:14 +0100

humm. I remembered something here:

ok, if the access to this config file contents is password protected,
then I have a second problem about where to store the admin password
:) isn't it ?

remember the secret key will be used in plain text to encrypt the
confirmation URL

On Tue, Feb 24, 2009 at 9:35 AM, Felipe Gaúcho <fgaucho_at_gmail.com> wrote:
> humm.. good idea..
>
> The "secret key" is used to hash the message sent to the users,
> basically I can use any key with length higher then 24 characters (or
> other if I change the algorithm...)....
>
> so, we should adopt anything that obey the following constraints:
>
> 1) it is portable (I must be able to deploy the login-app.ear in any
> JavaEE 5 container)
> 2) it is configurable...
>
> your suggestion is cool, just give me a step by step on how to do
> that, or even better: checkout the code and go ahead.. notifying us
> about how to proceed later to config the login app. .
>
> like: how to retrieve the key from that config file ?
>
> * the life-time of the registration use-case is short.. I expect a new
> customer to confirm his registration in a period of minutes or hours..
> we can accept failure in case of secret key changing or even to
> implement an optimistic-lock during the changings..
>
>
>
> On Tue, Feb 24, 2009 at 8:14 AM, Kumar Jayanti <Vbkumar.Jayanti_at_sun.com> wrote:
>> Felipe Gaúcho wrote:
>>>
>>> I have this encryption algorithm to scramble URLs I send by email for
>>> registration confirmation.... it works fine, but today the key used in
>>> the encryption is hard coded in the bean ...
>>>
>>> so, options:
>>>
>>> 1) to move the password to a properties file :(
>>> 2) to move the password to the "application context", what means
>>> Glassfish somewhere
>>>
>>> what is the best place to store the secret key ?
>>>
>>> * if I can use Glassfish to hold this info in administrative level, it
>>> would be the best solution for me..
>>>
>>>
>>>
>>
>> Glassfish has a file called domain-passwords under your domain config. This
>> file is a JCEKS store and is protected by the GF masterpassword. You can
>> store passwords either in it or in a similar store and access them using the
>> java Keystore API .
>>
>>
>> rgds.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>
>
>
> --
>
> Please help to test this application:
> http://fgaucho.dyndns.org:8080/cejug-classifieds-richfaces
> 



-- 
Please help to test this application:
http://fgaucho.dyndns.org:8080/cejug-classifieds-richfaces
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.