1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

  2. Anuncie Aqui ! Entre em contato fdantas@4each.com.br
Cookies Anuncie aqui Patrocinador Anuncios

Proper way to retrieve password for Datasource from external service in Wildfly

Discussão em 'StackOverflow' iniciado por Stack, Abril 23, 2021.

  1. Stack

    Stack Membro Participativo

    I have an application running under Wildlfy 21. I'm also using MariaDB and OpenJPA. The problem is that the password used to connect to MariaDB is retrieved from external custom service. And it can change at any time. Unfortunately I am not getting any notification that database password has been changed. I'm looking for a way where Wildfly could handle a situation when there is a problem with connection to database. And will be able to retrieve and replace old password.

    So far I have tried to solve this problem using security domain and extend ConfiguredIdentityLoginModule class to retrieve and overwrite the password. Like in this case: Wildfly - set datasource password at runtime

    The code which extends ConfiguredIdentityLoginModule is added as Wildfly module.

    Here is my actual implementation

    Datasouce:

    <datasource enabled="true" jndi-name="jdbc/aenDS" pool-name="aenDS">
    <connection-url>jdbc:mariadb://localhost:3306/AEN</connection-url>
    <driver>mariadb</driver>
    <pool>
    <min-pool-size>5</min-pool-size>
    <max-pool-size>50</max-pool-size>
    </pool>
    <security>
    <security-domain>aenSecurityDomain</security-domain>
    </security>
    </datasource>


    Login module implementation:

    public class DatabaseLoginModule extends ConfiguredIdentityLoginModule {

    @Override
    public void initialize(final Subject subject, final CallbackHandler handler, final Map<String, ?> sharedState,
    final Map<String, ?> options) {
    final Map<String, Object> newOptions = new HashMap<>(options);
    //retrieve password from external credential service
    final String password = new CredentialService().retrievePassword(options.get("username"), "database");
    //update options with new password
    newOptions.put("password", password);
    super.initialize(subject, handler, sharedState, newOptions);
    }
    }


    Sercurity domain:

    <security-domain name="aenSecurityDomain" cache-type="default">
    <authentication>
    <login-module code="com.aen.DatabaseLoginModule" flag="required" module="com.aen">
    <module-option name="principal" value="user"/>
    <module-option name="username" value="user"/>
    <module-option name="password" value="sa"/>
    <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=aenDS"/>
    </login-module>
    </authentication>
    </security-domain>


    The main problem in this solution is how many times DatabaseLoginModule is called. When cache-type is not defined in security domain (cache is not used) then DatabaseLoginModule is called everytime when OpenJPA is obtaining connection from the pool. During the tests, more than 50 password inquiries were made within 10 seconds. It's way too much. When "default" value is used in cache-type then DatabaseLoginModule is called only once during startup and never again. So the password is never updated.

    Is there any other way this problem can be solved? Is it possible to clear security domain cache when connection to database fails?

    Continue reading...
    Stack, Abril 23, 2021
    #1

Compartilhe esta Página