Jetty Tools

Password Obfuscation

There are many cases where you might need to provide credentials such as usernames and passwords to authenticate your access to certain services, for example KeyStore and TrustStore passwords, JDBC credentials, Basic or Digest authentication credentials, etc.

Passwords are typically stored in clear-text in configuration files; a program such as Jetty reading the configuration file must be able to retrieve the original password to pass it to the service (for example a KeyStore or a JDBC driver).

You can protect clear-text stored passwords from casual view by obfuscating them using class org.eclipse.jetty.util.security.Password:

$ java -cp jetty-util-12.1.4-SNAPSHOT.jar org.eclipse.jetty.util.security.Password --prompt
Username: (1)
Password: secret (2)
OBF:1yta1t331v8w1v9q1t331ytc (3)
MD5:5eBe2294EcD0E0F08eAb7690D2A6Ee69 (4)
...
MD:SHA-1:E5E9Fa1bA31eCd1aE84f75CaAa474f3a663f05F4
...
MD:SHA3-256:F5A5207a8729B1F709Cb710311751eB2Fc8aCaD5A1Fb8aC991B736E69b6529A3
...

1	Hit `Enter` to specify a blank user.
2	Enter the password you want to obfuscate.
3	The obfuscated password.
4	MD5 and other `MessageDigest` checksums of the password, using different algorithms.

The Password tool produced an obfuscated string for the password secret, namely OBF:1yta1t331v8w1v9q1t331ytc (the prefix OBF: must be retained). The obfuscated string can be de-obfuscated to obtain the original password.

Now you can use the obfuscated password in Jetty configuration files, for example to specify the KeyStore password in ssl-context.ini when configuring secure connectors, as explained here. For example:

ssl-context.ini

jetty.sslContext.keyStorePassword=OBF:1yta1t331v8w1v9q1t331ytc

Remember that password obfuscation only protects from casual view — it can be de-obfuscated to obtain the original password.

You can also use the obfuscated password in your Java source code.

You can also use obfuscated passwords in Jetty XML files where a clear-text password is usually required. Here is an example, setting an obfuscated password for a JDBC DataSource:

<New id="myDS" class="org.eclipse.jetty.plus.jndi.Resource">
  <Arg></Arg>
  <Arg>jdbc/myDS</Arg>
  <Arg>
    <New class="com.zaxxer.hikari.HikariDataSource">
      <Arg>
        <New class="com.zaxxer.hikari.HikariConfig">
          <Set name="dataSourceClassName">org.postgresql.ds.PGSimpleDataSource</Set>
          <Set name="username">dbuser</Set>
          <Set name="password">
            <Call class="org.eclipse.jetty.util.security.Password" name="deobfuscate"> (1)
              <Arg>OBF:1yta1t331v8w1v9q1t331ytc</Arg>
            </Call>
          </Set>
          ...
        </New>
      </Arg>
    </New>
  </Arg>
</New>

1	Note the usage of `Password.deobfuscate(...)` to avoid storing the clear-text password in the XML file.

On the other hand, MessageDigest checksums of passwords are useful when Jetty receives a password and needs to verify it without storing the original password (for example, with Basic authentication).

Differently from obfuscated passwords, password checksums are not reversible, and cannot be used when Jetty needs to pass the original password to other services.

You can store the Basic authentication credentials in checksum form on the server, and verify the password received from the client by comparing the stored checksum with the checksum of the received password computed on-the-fly. If the checksum is identical, then the password was correct.

MessageDigest algorithms vary in strength, that is the probability that two different inputs produce the same checksum.

The MD5 and SHA-1 algorithms are not recommended, as they are weak and insecure. Use at least SHA-256, typically available in all modern JVMs.