This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes Keeping the password secure after securing the HttpInvokers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Keeping the password secure after securing the HttpInvokers" Watch "Keeping the password secure after securing the HttpInvokers" New topic
Author

Keeping the password secure after securing the HttpInvokers

Dennis van Beek
Greenhorn

Joined: Aug 29, 2009
Posts: 5

We had some problems with hackers hacking our JBoss, so I had to secure our HttpInvokers in JBoss 4.2.3 (EJBInvokerServlet and JMXInvokerServlet).
I changed the jboss-configuration and after that I changed the calling code (to supply a username and password).

My question now is:
In all examples I see on the internet, about adding security to JBoss, the username and password are hardcoded in the code.
Our client-code (which also needs these credentials) is open for download, so a smart hacker is able to download the code, decompile the classes and see the password.
Is there a way to make this secure?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10146
    
165

The password need not necessarily be part of the code. It can be stored in a database for example or some other "store" or the user could even be prompted for it. In fact, having it in the code isn't typical for production applications.

[My Blog] [JavaRanch Journal]
 
GeeCON Prague 2014
 
subject: Keeping the password secure after securing the HttpInvokers