[Building Sakai] Encrypt the password in sakai.properties

Matthew Jones matthew at longsight.com
Wed Dec 26 11:32:54 PST 2012 

Right, who are you trying to protect the password from?

It would be useless for Sakai to put an encryption in the code because
either the algorithm would be public so everyone could just use it or would
require some un-encrypted key that you'd still have to put somewhere,
making no difference over the current solution.

If you're trying to protect it from someone who has root on that machine,
you'd probably either need to rebuild the jar with the password in it or
put some kind of decryption algorithm in there. Someone determined could
still figure out what it's doing by decompling the class file but it would
help.

If you're trying to protect it from other users on the system, just set the
permissions correctly on the file.

If you're just wanting to keep it out of the tomcat directory so it doesn't
mistakenly get committed or read, then you can use the security.properties
as Seth suggests.

This is the same problem for SSL keys like in Apache. You either have to
hard-coded it as is, have no password or type it in every-time you restart.
The third option isn't supported for Sakai.


On Wed, Dec 26, 2012 at 2:01 PM, Seth Theriault <slt at columbia.edu> wrote:

> On Wed, Dec 26, 2012 at 11:42 AM, D Yun <yun14u at yahoo.com> wrote:
>
> > I'm using Sakai 2.9.x with Tomcat 7 and MySQL 5.5.   My question is
> related
> > with sakai.properties.  How difficult is it to implement encrypt the
> > following line ?
> >
> > password at javax.sql.BaseDataSource=ironchef
> >
> >
> > Something like this 2 lines will be perfect.
> >
> > password.securityEnabled=true
> > password at javax.sql.BaseDataSource={xor}KDo+LTcwKiw6bm9u
>
> Sensitive information like database passwords and the like are usually
> specified in a "security.properties" file that is protected outside of
> Sakai's Tomcat file structure. Take a look at this (old) doc for more
> configuration info:
>
>
> https://source.sakaiproject.org/svn/reference/trunk/docs/architecture/sakai_config.doc
>
> Once you set up a security.properties file, values specified there can
> be substituted a la:
>
> -- security.properties
>
> myPassword=ironchef
>
> -- sakai.properties
>
> password at javax.sql.BaseDataSource=${myPassword}
>
> Seth
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20121226/65bb1e35/attachment.html

More information about the sakai-dev mailing list