WildFly datasource password protection

Question

How can I protect password in datasource definition in WildFly? I found link which leads to JBoss 7 version. After path correction I got this error in WildFly:

Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed

Answer 1

Procedure of datasource password encryption has little difference in WildFly from JBoss 7. Follow the main instruction located here and two notice:

1. Correct paths to the jars, which helps to generate encrypted passwords. In WildFly its located in $JBOSS_HOME/modules/system/layers/base/
2. In security-domain definition change code attribute value of the login-module tag to org.picketbox.datasource.security.SecureIdentityLoginModule
3. In security-domain definition add module-option tag with name managedConnectionFactoryName and value "jboss.jca:service=LocalTxCM,name=dsname", where dsname - name of the datasource.

Full example:

<security-domain name="EncryptedPassword">
   <authentication>
      <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
         <module-option name="username" value="name"/>
         <module-option name="password" value="-46511cf9e238007cbb"/>
         <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=dwh"/>
     </login-module>
   </authentication>
</security-domain>

Answer 2

To encrypt your password using Wildfly, you can do this:

java -cp $WildflyHome/modules/system/layers/base/org/picketbox/main/picketbox-(version)-(beta|final).jar org.picketbox.datasource.security.SecureIdentityLoginModule yourpassword

Answer 3

I had the same issue, I found that if you use code="SecureIdentity" instead of

code="SecureIdentityLogin" (this gives "PB00024: Access Denied:Unauthenticated)

you will not get the Access Denied message.