Following blog posts provide through knowledge on how to work with WSO2 Carbon Secure Vault.
[1] http://ajithvblogs.blogspot.com/2014/01/secure-custom-configuration-filexml.html
[2] http://pathberiya.blogspot.com/2012/08/secure-plain-text-passwords-in-wso2.html
In this post I am going to discuss how to secure the password field under 'NetworkAuthenticatorConfig' element defined in carbon.xml
This will require custom implementation as this password field is not supported out of the box. You can follow the 7 steps provided in Blog [1].
I will describe the Implementation details:
You need to modify setupAuthenticator method in https://svn.wso2.org/repos/wso2/carbon/kernel/branches/4.2.0/core/org.wso2.carbon.utils/4.2.0/src/main/java/org/wso2/carbon/context/internal/CarbonContextDataHolder.java class.
Note: The version 4.2.0 may vary depending on your carbon server release.
By default it reads the password value from carbon.xml. But after we use Secure Vault the actual password is not in carbon.xml. Therefore we have to implement the logic in such a way that it will get the decrypted secured password accordingly.
The modified method is as follows:
private static void setupAuthenticator(CarbonAuthenticator authenticator) throws Exception {
OMElement documentElement = XMLUtils.toOM(
CarbonUtils.getServerConfiguration().getDocumentElement());
OMElement authenticators = documentElement.getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Security")).
getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "NetworkAuthenticatorConfig"));
if (authenticators == null) {
return;
}
String password = null;
String secretAlias = "xxxxxxxxxxxxxxxxxxxxx: Set the entry key used in cipher-tool.properties/cipher-text.properties xxxxxxxxxxxxxxxxxxx";
SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);
for (Iterator iterator = authenticators.getChildElements(); iterator.hasNext(); ) {
OMElement authenticatorElement = (OMElement) iterator.next();
if (!authenticatorElement.getLocalName().equalsIgnoreCase("Credential")) {
continue;
}
String pattern = authenticatorElement.getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Pattern")).getText();
String type = authenticatorElement.getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Type")).getText();
String username = authenticatorElement.getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Username")).getText();
if (secretResolver != null && secretResolver.isInitialized()) {
if (secretResolver.isTokenProtected(secretAlias)) {
password = secretResolver.resolve(secretAlias);
} else {
password = authenticatorElement.getFirstChildWithName(
new QName(ServerConstants.CARBON_SERVER_XML_NAMESPACE, "Password")).getText();
}
}
authenticator.addAuthenticator(type, pattern, username, password);
}
}
- build the org.wso2.carbon.utils bundle with 'mvn clean install'
- create a directory called patch000X (X can be a preferred number greater than the existing ones) in $PRODUCT_HOME/repository/components/patches/ directory.
- place the built jar in patch000X directory
- restart the server with "-DapplyPatches" as follows:
./wso2server.sh -DapplyPatches
No comments:
Post a Comment