Enhance ConfigurationImpl to use OSGi encryption service

Description

The current Pax Web implementation for encrypting/decrypting configuration properties is problematic because it assumes a specific implementation of a Jasypt property encryptor. Besides the fact that this is an OSGi anti-pattern, it makes it difficult to modify the property encryption and decryption capabilities so they are more secure (e.g. implementing the Jasypt interface so that it offloads encryption and decryption to an HSM).

I would like to propose that rather than simply instantiating a new StandardPBEStringEncryptor, the ConfigurationImpl class should maintain a service tracker for any implementations of org.jasypt.encryption.StringEncryptor registered with the OSGi container. This is the way property encryption/decryption is implemented in Pax JDBC and I feel that it is an overall better approach.

See the following links for reference
DataSourceConfigManager.java
Activator.java

Environment

None

Activity

Show:
Matt Pavlovich
March 2, 2017, 5:38 PM

I'd suggest a general solution for managing encrypted configuration data-- not just for jdbc datasources. Users may have http, jms or other client-side passwords that should be encrypted.

Assignee

Unassigned

Reporter

Dariush Amiri

Labels

None

Fix versions

Priority

Major
Configure