The org.jboss.security.plugins.JaasSecurityDomain is an extension of the

JaasSecurityManager that adds the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases.

Attributes

• KeyStoreType: The implementation type name being used, defaults to 'JKS'.

• KeyStoreURL: Set the KeyStore database URL string. This is used to obtain

an InputStream to initialize the KeyStore. If the string is not a value

URL, its treated as a file. 

• KeyStorePass: the password used to load the KeyStore. The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key used with the encode/decode operations. The KeyStorePass attribute value format is one of:

• The plaintext password for the KeyStore(or whatever format is used

by the KeyStore). The toCharArray() value of the string is used without any

manipulation.

• A command to execute to obtain the plaintext password. The format

is '...' where the '...' is the exact command line that will be passed

to the Runtime.exec(String) method to execute a platform command. The first

line of the command output is used as the password.

• A class to create to obtain the plaintext password. The format

is

'{CLASS}classname[:ctorarg]'

where the

'[:ctorarg]'

is an optional string delimited by the ':' from the classname that will be passed to the classname constructor (ctor). The password is obtained from classname by invoking a 'char{FOOTNOTE DEF  }

toCharArray()' method if found, otherwise, the 'String toString()' method is

used.

• TrustStoreType: The trust store implementation type name being used, defaults to 'JKS'.

• TrustStoreURL: Set the TrustStore database URL string. This is used to obtain

an InputStream to initialize the TrustStore. If the string is not a value

URL, its treated as a file. 

• TrustStorePass: the password used to load the KeyStore. The KeyStorePass is also used in combination with the Salt and IterationCount attributes to create a PBE secret key used with the encode/decode operations. It supports the same format as the KeyStorePass.

• ManagerServiceName: The JMX object name string of the security manager service

that the domain registers with to function as a security manager for the

security domain name passed to the ctor. This makes the JaasSecurityDomain

available under the standard JNDI java:/jaas/(domain) binding.

• LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider

security provider should be loaded on startup. This is needed when using

the Sun JSSE jars without them installed as an extension with JDK 1.3. This

should be set to false with JDK 1.4 or when using an alternate JSSE provider

• CipherAlgorithm : The encryption cipher algorithm to use. This can be any algorithm available in the JDK. The default is PBEwithMD5andDES.

• Salt: The javax.crypto.spec.PBEParameterSpec salt value

• IterationCount: The javax.crypto.spec.PBEParameterSpec iteration count value

Available

'{CLASS}classname[:ctorarg]'

implementations

There are a number of bundled implementations of classes for obtaining the KeyStorePass value. These currently include:

• org.jboss.security.plugins.ConsolePassword : Read a password from the System.in stream. This may be used as a password accessor in conjunction with the JaasSecurityDomain

  • org.jboss.security.plugins.FilePassword : Read a password in opaque form to a file for use with the FilePassword accessor in conjunction with the JaasSecurityDomain
  org.jboss.security.plugins.ConsolePassword format of the KeyStorePass attribute. org.jboss.security.plugins.FilePassword:password-file format of the KeyStorePass attribute. The original opaque password file can be created by running:

   java org.jboss.security.plugins.FilePassword salt count password password-file 

  . Running

  java org.jboss.security.plugins.FilePassword

  will generate a usage message. Note that this is security by obscurity in that the password is not store in plaintext, but it can be recovered by simply using the code from this class.

• org.jboss.security.plugins.TmpFilePassword : Read a password from a file specified via the ctor and then overwrite the file contents with garbage, and then remove it. This may be used as a password accessor in conjunction with the JaasSecurityDomain org.jboss.security.plugins.TmpFilePassword:password-file format of the KeyStorePass attribute.