Jetty Tools

Password Obfuscation

There are many cases where you might need to provide credentials such as usernames and passwords to authenticate your access to certain services, for example KeyStore and TrustStore passwords, JDBC credentials, Basic or Digest authentication credentials, etc.

Passwords are typically stored in clear-text in configuration files, because a program such as Jetty reading the configuration file must be able to retrieve the original password to authenticate with the service.

You can protect clear-text stored passwords from casual view by obfuscating them using class org.eclipse.jetty.util.security.Password:

$ java -cp jetty-util-12.0.10-SNAPSHOT.jar org.eclipse.jetty.util.security.Password --prompt
Username: (1)
Password: secret (2)
OBF:1yta1t331v8w1v9q1t331ytc (3)
MD5:5eBe2294EcD0E0F08eAb7690D2A6Ee69 (4)

1	Hit `Enter` to specify a blank user.
2	Enter the password you want to obfuscate.
3	The obfuscated password.
4	The MD5 checksum of the password.

The Password tool produced an obfuscated string for the password secret, namely OBF:1yta1t331v8w1v9q1t331ytc (the prefix OBF: must be retained). The obfuscated string can be de-obfuscated to obtain the original password.

Now you can use the obfuscated password in Jetty configuration files, for example to specify the KeyStore password in ssl.ini when configuring secure connectors, as explained here. For example:

ssl.ini

jetty.sslContext.keyStorePassword=OBF:1yta1t331v8w1v9q1t331ytc

Remember that password obfuscation only protects from casual view — it can be de-obfuscated to obtain the original password.

You can also use the obfuscated password in your Java source code.

You can also use obfuscated passwords in Jetty XML files where a clear-text password is usually required. Here is an example, setting an obfuscated password for a JDBC DataSource:

<New id="myDS" class="org.eclipse.jetty.plus.jndi.Resource">
  <Arg></Arg>
  <Arg>jdbc/myDS</Arg>
  <Arg>
    <New class="com.zaxxer.hikari.HikariDataSource">
      <Arg>
        <New class="com.zaxxer.hikari.HikariConfig">
          <Set name="dataSourceClassName">org.postgresql.ds.PGSimpleDataSource</Set>
          <Set name="username">dbuser</Set>
          <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate"> (1)
              <Arg>OBF:1yta1t331v8w1v9q1t331ytc</Arg>
            </Call>
          </Set>
          ...
        </New>
      </Arg>
    </New>
  </Arg>
</New>

1	Note the usage of `Password.deobfuscate(...)` to avoid storing the clear-text password in the XML file.