Forums

Home » Liferay Portal » English » 2. Using Liferay » General

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
vikash kumar chaurasia
how we can encrypt password stored in portal-ext.xml
February 21, 2010 9:11 PM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Hi,

Does anybody has any Idea how we can encrypt password stored in portal-ext.xml for DB.

Thanks
Bavithra Rajendran
RE: how we can encrypt password stored in portal-ext.xml
February 21, 2010 9:52 PM
Answer

Bavithra Rajendran

LIFERAY STAFF

Rank: Regular Member

Posts: 123

Join Date: October 7, 2009

Recent Posts

Hi !

You can refer this link. Hope it might be helpful.
Olaf Kock
RE: how we can encrypt password stored in portal-ext.xml
August 8, 2010 11:24 PM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 3428

Join Date: September 23, 2008

Recent Posts

I guess the question rather targets the passwords in the properties file - e.g. those required to connect to a database.

The question would be: What is the usecase for this. Usually passwords are hashed, as they are just used to check them when a user signs in. It's sufficient to check if hashes match, so there's no need to store clear text. Also, it's not possible to decrypt a password from a hash.

With database passwords, we need them in cleartext in order to connect to a database, thus they have to be decryptable. As soon as we do that we'd need either a key in cleartext, giving a false sense of security, because we deal with encrypted passwords but have a cleartext key. An alternative would be to manually provide either the password or a passphrase for a key on server startup - which is inconvenient.

Edit: I seem to have missed pointing to the possibility to just point to the JNDI name for the datasource in portal-ext.properties. This way you let your app server handle the password and don't have it in portal-ext.properties. If you're using tomcat, that usually moves the problem to another file where the password then resides, but somehow (as explained) it needs to be readable. On other app servers it's somewhere hidden within their keystore, but as it needs to be usable, encryption here is probably also not bulletproof.
vikash kumar chaurasia
RE: how we can encrypt password stored in portal-ext.xml
February 22, 2010 5:00 AM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Hi Olaf,

Thanks for reply.

My client's requirement is like this:

They want the loprtal password not to be in plain text in portal-ext.xml file.

Thanks
Olaf Kock
RE: how we can encrypt password stored in portal-ext.xml
February 22, 2010 10:15 PM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 3428

Join Date: September 23, 2008

Recent Posts

Keep in mind that - due to the reasons I've stated - the password will be rather obfuscated than encrypted. This is a valid objection, as one cannot "accidentally" note the password, but it is no "secure" solution.

I'm not aware of an out of the box solution. If you find one, please post here. Otherwise you might want to find where the password entry is read and used and de-obfuscate it there by patching the code.

If the objection is about accidentally taking note of the password, you might work around it by using a long, not-memorizeable password like these.
MICHAIL MOUDATSOS
RE: how we can encrypt password stored in portal-ext.xml
December 9, 2011 4:47 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

One, hard-coded way, as it is stated in http://www.liferay.com/community/forums/-/message_boards/message/11730711 is to add your decoding mechanism in the Liferay source code that reads the password and rebuild the proper jar (and of course, deploy it). Then you just have to have a small piece of code that encodes your password accordingly. I call it hard-coded in the sense that the encryption algorithm is the one added in the code and cannot be changed. Of course a more profound solution would be to assume a property that would define such an algorithm and the code would read that property and use the corresponding decryption.

The modification is rather simple and building is automated using provided ant build scripts. I only had to run ant compile once for the whole liferay source (this would fix all dependencies) and then I just used the "ant compile" or "ant jar" targets from the portal-impl build file to create portal-impl.jar and try my changes.

The apparent disadvantage of this approach is that this is bound to the Liferay version source code. If it changes you have to change it, but thats the way with a lot of ext plugins I suppose.