Java/Spring：如何从 JBOSS 保管库检索密码

发布于 2025-01-14 15:07:12 字数 4357 浏览 0 评论 0原文

我正在尝试修改 Java/Spring Framework Web 应用程序以从 JBOSS 密码保管库

目前，我们的 mvc-dispatcher-servlet.xml 文件引用 oracle.db.properties 文件中的 base.oracle.db.passWord 键。

mvc-dispatcher-servlet.xml 文件：

<bean id="dataSource"
        class="com.mycompany.myorg.myapp.datasource.EncryptedDriverManagerDataSource" destroy-method="close">
        <!-- <property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />-->
        <property name="URL" value="${base.oracle.db.url}" />
        <property name="user" value="${base.oracle.db.userName}" />

        <!-- <property name="password" value="${base.oracle.db.passWord}" /> commented out and tried the following line-->
        <property name="password" value="${VAULT::oracle.db.password::password::}" />

        <property name="connectionCachingEnabled" value="true"/>
        <property name="connectionCacheProperties">
             <props>
                 <prop key="MinLimit">2</prop>
                 <prop key="MaxLimit">10</prop>
                 <prop key="InitialLimit">10</prop>
                 <prop key="InactivityTimeout">2</prop>
             </props>
        </property>     
    </bean>

Oracle-db.properties 文件：

base.oracle.db.driver=oracle.jdbc.driver.OracleDriver
base.oracle.db.userName=myusercode
base.oracle.db.url=jdbc:oracle:thin:@ldap://oid.gtm.internal.mycompany.com:3060/ourtargetenv,cn=OracleContext,dc=mycompany,dc=com
base.oracle.db.passWord=mypassword

我假设密码值已使用密钥正确存储在 VAULT 中base.oracle.db.passWord。

我得到了如何访问保管库以获取密码的示例。该示例需要从 context.xml 文件而不是 oracle-db.properties 文件中引用保管库。以下是我得到的例子。

context.xml 文件：

<Context>
    

        <!-- Default set of monitored resources. If one of these changes, the    -->
        <!-- web application will be reloaded.                                   -->
        <WatchedResource>WEB-INF/web.xml</WatchedResource>
        <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
        <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
    

        <!-- Uncomment this to disable session persistence across Tomcat restarts -->
        <!--
        <Manager pathname="" />
        -->
    

        <Resource name="fds_ui" auth="Container"
                         type="javax.sql.DataSource" 
                         factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
                         driverClassName="oracle.jdbc.OracleDriver"
                         url="jdbc:oracle:thin:@ldap://oid.gtm.internal.cigna.com:3060/fdsdev,cn=OracleContext,dc=mycompany,dc=com"
                         username="myusercode”
                         password="${VAULT::oracle.db.password::password::}"                         
                                    removeAbandoned="true"
                                    removeAbandonedTimeout="300"
                                    logAbandoned="true"
        />       
    

    </Context>

但是，鉴于我不是 Java 开发人员，并且我们的 Java 开发人员不知道如何访问保管库，我正在尝试帮助找到答案。我的尝试包括修改上面的 mvc-dispatcher-servlet.xml 文件以将此行更改

<property name="password" value="${base.oracle.db.passWord}" />

为

<property name="password" value="${VAULT::oracle.db.password::password::}" />

但是当我尝试此操作时，我收到“无效的用户代码/密码错误”，表明密码未正确存储在保管库中（我相信它我添加到 oracle-db.properties 文件中的 VAULT 引用的工作方式可能与 context.xml 文件中的工作方式不同。

我已经超出了我的舒适区，不知道还能提供什么来帮助您帮助我，但我将不胜感激任何建议。

我看过

Cyberark 使用 JAVA 从保管库检索密码

但这似乎这是从 Cyberark 检索密码的手动方法。我知道我们内部使用 Cyberark。我被告知在 context.xml 文件中使用的 VAULT 语句是否可以引用某些在会话下访问 Cyberark 的 API？我想情况可能是这样，如果有更高级别的方法来实现这一点，我不应该重新发明功能来做到这一点。

原文

I am trying to modify out Java/Spring Framework web application to retrieve the Oracle database password from the JBOSS Password vault

Currently, Our mvc-dispatcher-servlet.xml file references a base.oracle.db.passWord key in the oracle.db.properties file.

mvc-dispatcher-servlet.xml file:

<bean id="dataSource"
        class="com.mycompany.myorg.myapp.datasource.EncryptedDriverManagerDataSource" destroy-method="close">
        <!-- <property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />-->
        <property name="URL" value="${base.oracle.db.url}" />
        <property name="user" value="${base.oracle.db.userName}" />

        <!-- <property name="password" value="${base.oracle.db.passWord}" /> commented out and tried the following line-->
        <property name="password" value="${VAULT::oracle.db.password::password::}" />

        <property name="connectionCachingEnabled" value="true"/>
        <property name="connectionCacheProperties">
             <props>
                 <prop key="MinLimit">2</prop>
                 <prop key="MaxLimit">10</prop>
                 <prop key="InitialLimit">10</prop>
                 <prop key="InactivityTimeout">2</prop>
             </props>
        </property>     
    </bean>

Oracle-db.properties file:

base.oracle.db.driver=oracle.jdbc.driver.OracleDriver
base.oracle.db.userName=myusercode
base.oracle.db.url=jdbc:oracle:thin:@ldap://oid.gtm.internal.mycompany.com:3060/ourtargetenv,cn=OracleContext,dc=mycompany,dc=com
base.oracle.db.passWord=mypassword

I am working under the assumption that the password value has been properly stored in the VAULT using the key base.oracle.db.passWord.

I was given an example of how to access the vault to get the password. The example entailed making a reference to the vault from within the context.xml file, not the oracle-db.properties file. The following was the example I was given.

context.xml file:

<Context>
    

        <!-- Default set of monitored resources. If one of these changes, the    -->
        <!-- web application will be reloaded.                                   -->
        <WatchedResource>WEB-INF/web.xml</WatchedResource>
        <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
        <WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
    

        <!-- Uncomment this to disable session persistence across Tomcat restarts -->
        <!--
        <Manager pathname="" />
        -->
    

        <Resource name="fds_ui" auth="Container"
                         type="javax.sql.DataSource" 
                         factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
                         driverClassName="oracle.jdbc.OracleDriver"
                         url="jdbc:oracle:thin:@ldap://oid.gtm.internal.cigna.com:3060/fdsdev,cn=OracleContext,dc=mycompany,dc=com"
                         username="myusercode”
                         password="${VAULT::oracle.db.password::password::}"                         
                                    removeAbandoned="true"
                                    removeAbandonedTimeout="300"
                                    logAbandoned="true"
        />       
    

    </Context>

However, given that I am not a Java developer and our Java developer doesn’t know how access the vault, I am trying to help find the answer. My attempt included modifying the above mvc-dispatcher-servlet.xml file to change this line

<property name="password" value="${base.oracle.db.passWord}" />

<property name="password" value="${VAULT::oracle.db.password::password::}" />

But when I tried this, I got an “invalid usercode/password error indicating that the password either was not properly stored in the vault (I believe it was) or VAULT reference that I added to the oracle-db.properties file does not work the same way as it presumably might from the context.xml file.

I’m well out of my comfort zone and don’t know what else to provide to help you help me but I would appreciate any suggestions.

I've looked at

Cyberark retrieve password from vault using JAVA

But this seems like it is a manual approach to retrieving the password from Cyberark. I know we use Cyberark internally. Could the VAULT statement that I was told to use within my context.xml file be a reference to some API that accesses Cyberark under the convers? I imagine that this might be the case and that I shouldn't be re-inventing functionality to do this if there is a more high level way to get it.

分享到QQ

分享到微博