Tribune

Home » Liferay Portal » English » 3. Development

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
MICHAIL MOUDATSOS
Encrypted DB pass word in portal-ext.properties of Liferay 6.1
13 gennaio 2012 5.00
Risposta

MICHAIL MOUDATSOS

Punteggio: Regular Member

Messaggi: 110

Data di Iscrizione: 4 ottobre 2011

Messaggi recenti

Hello all,

as a follow up to the post To encrypt the DB password in portal-ext properties file of the server, the Liferay source code that must be modified in order to rebuild portal-impl.jar and achieve this goal, has been relocated in the following class: com.liferay.portal.dao.jdbc.DataSourceFactoryImpl

here's the code fragment:

 1
 2public class DataSourceFactoryImpl implements DataSourceFactory {
 3
 4    //...
 5
 6    public DataSource initDataSource(Properties properties) throws Exception {
 7        Properties defaultProperties = PropsUtil.getProperties(
 8            "jdbc.default.", true);
 9
10        /**
11         * Overriding code: begin
12         */
13
14        Enumeration<String> propEnum = (Enumeration<String>)defaultProperties.propertyNames();
15
16        while(propEnum.hasMoreElements())
17        {
18            String key = propEnum.nextElement();
19
20            if(key.equalsIgnoreCase("password"))
21            {
22                /*Property jdbc.default.encrypted.password enables one to define whether the provided password is encrypted or not*/
23                boolean isEncrypted = GetterUtil.getBoolean(defaultProperties.getProperty("encrypted.password"));
24
25                if(isEncrypted)
26                {
27                    String value = defaultProperties.getProperty(key);
28                    Base64 base64 = new Base64();
29                    byte[] bytesArray = base64.decode(value.getBytes());
30                    value = new String(bytesArray);
31                    /*Set the password property in the property member field since it is the one to be taken into account*/
32                    properties.setProperty(key, value);
33                }
34            }
35        }
36
37        /**
38         * Overriding code: end
39         */
40//rest of code...


Hope this helps...

P.S. Just as in the referenced post, no code is deleted (only added) and this is a simple password encoding from chars to base64
David H Nebinger
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
12 gennaio 2012 5.07
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11785

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

Great work, Michail. Thanks for sharing!
Kevin Kocher
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 12.24
Risposta

Kevin Kocher

Punteggio: New Member

Messaggi: 7

Data di Iscrizione: 30 ottobre 2012

Messaggi recenti

Is this still the best approach for this?
Theoretically, could this be implemented by extending the DataSourceFactoryBean and changing the appropriate spring configuration?
Are the steps for doing that or something similar in another post somewhere that I may have missed (sorry, new project for me and I'm still ramping up)
I was told I can't modify LifeRay directly in this case or it would violate the LGPL license.
Thanks for any insight.
David H Nebinger
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 12.38
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11785

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

The LGPL prevents you from selling a modified Liferay.

If you have an internal requirement to not keep plaintext database passwords on the server and are not selling the resulting Liferay, you should be okay.

Please note that I'm not a lawyer and you should seek counsel from a real attorney.
Kevin Kocher
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 12.46
Risposta

Kevin Kocher

Punteggio: New Member

Messaggi: 7

Data di Iscrizione: 30 ottobre 2012

Messaggi recenti

Thanks for the reply and yes we are in fact implementing a commercial product with LR bundled.
We will fail any security audits our clients have in place unless we can store the password encrypted. This would be a show stopper for us unless we can find a workaround that satisfies everyone's legal requirements.
Luis Mas
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 13.03
Risposta

Luis Mas

Punteggio: Regular Member

Messaggi: 146

Data di Iscrizione: 18 maggio 2009

Messaggi recenti

You could propose this change through JIRA and if Liferay accepts this (I think they would), it woud be part of Liferay Source and you wouldn't have any problem with LGPL.

They could extend this solution for LDAP connection parameters.
Kevin Kocher
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 13.40
Risposta

Kevin Kocher

Punteggio: New Member

Messaggi: 7

Data di Iscrizione: 30 ottobre 2012

Messaggi recenti

That seems like a good way to move this forward if in fact there isn't something acceptable in place already, thanks for the suggestion. I can do that much as the worst that can happen is that it's rejected (or I'm pointed to an implemented solution).

And, just for the record, so it's here publicly, I'm certainly not asking anyone who responds here to be "legally" verifiable. It's just a discussion, nothing more. We do have our own legal department that gets involved to review and/or get approval for the products we bundle and what we do or say here has no bearing on that.

Thanks again for the help.
James Falkner
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 13.48
Risposta

James Falkner

Community Moderator

Punteggio: Liferay Legend

Messaggi: 1406

Data di Iscrizione: 17 settembre 2010

Messaggi recenti

David H Nebinger:
The LGPL prevents you from selling a modified Liferay.

If you have an internal requirement to not keep plaintext database passwords on the server and are not selling the resulting Liferay, you should be okay.

Please note that I'm not a lawyer and you should seek counsel from a real attorney.


I am also not a lawyer, but as I understand LGPL - it does not prevent you from selling a modified copy of LGPL software, but you have to make the source code of your modifications available to those you sell it to, and you have to license your modifications under LGPL too. So someone buying your custom version could potentially post your modified source publicly, or make their own changes and sell that, and not give you anything.

See the FAQ.
Kevin Kocher
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 14.15
Risposta

Kevin Kocher

Punteggio: New Member

Messaggi: 7

Data di Iscrizione: 30 ottobre 2012

Messaggi recenti

That sort of rings a bell for me as well James, but where I work, I don't control that decision, nor would I want to speak on behalf of my company in that regard. At this stage all I can say is, the people I work for will not allow my team to modify the source directly. Short of having this code incorporated within LR itself officially (or a supported hook), a spring configuration mod would be a possibility at this stage to propose to our legal dept. At that point they'd review our agreement with LR and inform us how to proceed. I did create a new topic in the suggestions and features area. Not sure if that was the correct route. I apologize if it isn't:
http://www.liferay.com/community/forums/-/message_boards/message/17580376
James Falkner
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 14.56
Risposta

James Falkner

Community Moderator

Punteggio: Liferay Legend

Messaggi: 1406

Data di Iscrizione: 17 settembre 2010

Messaggi recenti

Kevin Kocher:
That sort of rings a bell for me as well James, but where I work, I don't control that decision, nor would I want to speak on behalf of my company in that regard. At this stage all I can say is, the people I work for will not allow my team to modify the source directly. Short of having this code incorporated within LR itself officially (or a supported hook), a spring configuration mod would be a possibility at this stage to propose to our legal dept. At that point they'd review our agreement with LR and inform us how to proceed. I did create a new topic in the suggestions and features area. Not sure if that was the correct route. I apologize if it isn't:
http://www.liferay.com/community/forums/-/message_boards/message/17580376



Totally understand - open source licenses scare a lot of legal depts emoticon

And yeah, that's the right way to go (suggestions and features area).
Hitoshi Ozawa
RE: Encrypted DB pass word in portal-ext.properties of Liferay 6.1
30 ottobre 2012 18.22
Risposta

Hitoshi Ozawa

Punteggio: Liferay Legend

Messaggi: 7949

Data di Iscrizione: 23 marzo 2010

Messaggi recenti

I am also not a lawyer, but as I understand LGPL - it does not prevent you from selling a modified copy of LGPL software, but you have to make the source code of your modifications available to those you sell it to, and you have to license your modifications under LGPL too.


Slight correction. It's possible to distribute the work as GPL too.