aspose file tools*
The moose likes JBoss/WildFly and the fly likes Keeping the password secure after securing the HttpInvokers Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Keeping the password secure after securing the HttpInvokers" Watch "Keeping the password secure after securing the HttpInvokers" New topic
Author

Keeping the password secure after securing the HttpInvokers

Dennis van Beek
Greenhorn

Joined: Aug 29, 2009
Posts: 5

We had some problems with hackers hacking our JBoss, so I had to secure our HttpInvokers in JBoss 4.2.3 (EJBInvokerServlet and JMXInvokerServlet).
I changed the jboss-configuration and after that I changed the calling code (to supply a username and password).

My question now is:
In all examples I see on the internet, about adding security to JBoss, the username and password are hardcoded in the code.
Our client-code (which also needs these credentials) is open for download, so a smart hacker is able to download the code, decompile the classes and see the password.
Is there a way to make this secure?
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10266
    
168

The password need not necessarily be part of the code. It can be stored in a database for example or some other "store" or the user could even be prompted for it. In fact, having it in the code isn't typical for production applications.

[My Blog] [JavaRanch Journal]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Keeping the password secure after securing the HttpInvokers