Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
vikash kumar chaurasia
To encrypt the DB password in portal-ext properties file of the server
March 11, 2010 8:45 PM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Hi,

I am using JBOSS-Tomcat Application Server bundle of Liferay 5.2.3. I have currently configured this Liferay Jboss-Tomcat bundle to work with MySQL. Now, since the MySQL connection information (e.g. DB URL, Username, Password) are stored in the portal-ext.properties file in Liferay, I want the password to be in the encrypted form, so that it is not readable. Is it possibble? How can I do this?

Anybody is having any idea?

Thanks in advance.
Sandeep Nair
RE: To encrypt the DB password in portal-ext properties file of the server
March 11, 2010 9:21 PM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1721

Join Date: November 5, 2008

Recent Posts

Hi,

Check portal.properties

By default the encryption used for passord is SHA

 1##
 2## Passwords
 3##
 4
 5    #
 6    # Set the following encryption algorithm to encrypt passwords. The default
 7    # algorithm is SHA (SHA-1). If set to NONE, passwords are stored in the
 8    # database as plain text. The SHA-512 algorithm is currently unsupported.
 9    #
10    #passwords.encryption.algorithm=CRYPT
11    #passwords.encryption.algorithm=MD2
12    #passwords.encryption.algorithm=MD5
13    #passwords.encryption.algorithm=NONE
14    passwords.encryption.algorithm=SHA
15    #passwords.encryption.algorithm=SHA-256
16    #passwords.encryption.algorithm=SHA-384
17    #passwords.encryption.algorithm=SSHA


You can override it by specifying it in portal-ext.properties

Regards,
Sandeep
Derek Nerenberg
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 9:46 AM
Answer

Derek Nerenberg

Rank: Junior Member

Posts: 39

Join Date: May 8, 2006

Recent Posts

What about the passwords for the database that are stored directly in the portal-ext.properties file?
vikash kumar chaurasia
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 10:23 PM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Anybody having any idea for this question.

My question is: If we have specified URL, UserName and Password for the MySql DB for Liferay in the portal-ext.properties file, how can we put the password in encrypted form, so that server can read that password and correspondingly load the Liferay DB.

Basically, putting the password in plain text in the portal-ext.properties file is not a good idea due to the security reasons.

Thanks.
Sandeep Nair
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 10:32 PM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1721

Join Date: November 5, 2008

Recent Posts

Hi,

So you mean database password. Well there is no way to do that i think. As far as security is considered portal-ext.properties is placed under WEB-INF/classes folder. Files under the WEB-INF directory cannot be directly accessed.

Regards,
Sandeep
vikash kumar chaurasia
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 10:44 PM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Hi Sandeep,

Thanks for reply.

However, you are fully right that the file once placed in WEB-INF/classes will not be directly accessed, however anybody can browse the folders in the Liferay bundle and go to the WEB-INF/classes and see the password and can in turn access the DB with that password.

Can we avoid such circumstances?
Pravin Pawar
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 11:33 PM
Answer

Pravin Pawar

Rank: Junior Member

Posts: 62

Join Date: November 17, 2009

Recent Posts

Hi,

You can use Jasypt (Java Simplified Encryption). Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

Refer Encrypting application configuration files

But for this you have to understand the Liferay core code. The code related to getting the jdbc connection using the jdbc.default.username and jdbc.default.password properties.
vikash kumar chaurasia
RE: To encrypt the DB password in portal-ext properties file of the server
April 5, 2010 11:39 PM
Answer

vikash kumar chaurasia

Rank: Junior Member

Posts: 97

Join Date: January 8, 2010

Recent Posts

Hi Pravin,

Thanks for reply.

But, I think it is cumbersome to dig the liferay code to simulate the Password encryption/decryption in portal-ext.properties. Do you have any idea, If we set password in encrypted form in portal-ext.properties file, how the Liferay will decrypt the password and load the DB.

Thanks again.
Pravin Pawar
RE: To encrypt the DB password in portal-ext properties file of the server
April 6, 2010 12:01 AM
Answer

Pravin Pawar

Rank: Junior Member

Posts: 62

Join Date: November 17, 2009

Recent Posts

Yes I have implemented this some time before with Liferay CE 5.2.1 release. Right now I don't have that code with me. I have modify the code related to DataSource and build portal-impl related part only. For deployment we just replace the portal-impl.jar from tomcat bundle & it's working fine.
Manish Kumar Gupta
RE: To encrypt the DB password in portal-ext properties file of the server
April 6, 2010 12:32 AM
Answer

Manish Kumar Gupta

LIFERAY STAFF

Rank: Liferay Master

Posts: 535

Join Date: May 15, 2008

Recent Posts

If security is your concern, you can use JBoss to create JNDI datasource for you databse connection and specify that JNDI name in ext-properties.

If you are using unix OS, you can give read only permission on portal-ext to app-server-user only.

Finally, if you are not really happy with above 2 approach, See http://issues.liferay.com/browse/LPS-4336 for encoding the password.
MICHAIL MOUDATSOS
RE: To encrypt the DB password in portal-ext properties file of the server
December 6, 2011 3:23 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

Manish Kumar Gupta:
See http://issues.liferay.com/browse/LPS-4336 for encoding the password.


Is it possible to implement the solution provided there (provided code solution) using an ext plugin, rather than modifying Liferay source code and rebuilding the distribution portal-impl.jar, which is the documented approach (if I understood correctly, that is)

(Or is there some problem concerning when plugins are loaded and executed with respect to the execution time of the provided code?)

Thank you in advance!
MICHAIL MOUDATSOS
RE: To encrypt the DB password in portal-ext properties file of the server
December 9, 2011 5:45 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

OK, after some trial and error my first impression that an ext plugin would not work because it woud be run later than the time needed, was correct, so I had to change the source code and rebuild using provided ant scripts (thankfully!). Since the http://issues.liferay.com/browse/LPS-4336 link corresponds to an earlier version of Liferay I thought it would be usefull to present an approach. The modification concerns the file com.liferay.portal.dao.jdbc.util.DataSourceFactoryBean of the porta-impl.jar:

 1
 2    [url=http://issues.liferay.com/browse/LPS-4336][/url]
 3public DataSource createInstance() throws Exception {
 4        Properties properties = _properties;
 5
 6        if (properties == null) {
 7            properties = PropsUtil.getProperties(_propertyPrefix, true);
 8        }
 9        else {
10            properties = PropertiesUtil.getProperties(
11                properties, _propertyPrefix, true);
12        }
13
14        Properties defaultProperties = PropsUtil.getProperties(
15            "jdbc.default.", true);
16
17        /**
18         * Overriding code: begin
19         */
20
21        Enumeration<String> propEnum = (Enumeration<String>)defaultProperties.propertyNames();
22
23        while(propEnum.hasMoreElements())
24        {
25            String key = propEnum.nextElement();
26
27            if(key.equalsIgnoreCase("password"))
28            {
29                /*Property jdbc.default.encrypted.password enables one to define whether the provided password is encrypted or not*/
30                boolean isEncrypted = GetterUtil.getBoolean(defaultProperties.getProperty("encrypted.password"));
31
32                if(isEncrypted)
33                {
34                    String value = defaultProperties.getProperty(key);
35                    Base64 base64 = new Base64();
36                    byte[] bytesArray = base64.decode(value.getBytes());
37                    value = new String(bytesArray);
38                    /*Set the password property in the property member field since it is the one to be taken into account*/
39                    properties.setProperty(key, value);
40                }
41            }
42        }
43
44        /**
45         * Overriding code: end
46         */
47
48        PropertiesUtil.merge(defaultProperties, properties);
49
50        properties = defaultProperties;
51//...
52//code continues...


The code part between the two "Overriding code" comments is actually an addition. Nothing was overwritten/removed. The encryption approach follows the one provided in the link of previous post. It is more like an encoding rather than a sophisticated encryption. One can replace with its own encryption choice.

I forgot to add that in this particular case the following fragment of code is sufficient to create an encoding of your db password:

1        Base64 base64 = new Base64();
2        byte[] bytesArray = null;
3        String result = null;
4        bytesArray = base64.encode(password.getBytes());
5        result = new String(bytesArray);


result variable contains the encoded password. Print it and assign it to jdbc.default.password property in portal-ext.properties