My data store connection password is not in clear-text: http://middlewaremagic.com/jboss/?p=1026
But my keystore password IS. This is a problem for customers, especially those running our system on Windows where they can't have reliable file permissions.
Previous versions of JBoss recognized this was a problem:
EncryptKeystorePasswordInTomcatConnector
Acceptable solutions were implemented:
But those aren't available in JBoss 7. https://docs.jboss.org/author/display/AS71/Admin+Guide#AdminGuide-%7B%7B%3Cssl%2F%3E%7D%7D
Vault is overkill and frankly just doesn't work, in our testing at least. We need command line options for changing passwords that don't require CS degrees. And we need it to not crash. We can't move to EAP 6 for this release.
This solution used in Jetty would be perfect: http://wiki.eclipse.org/Jetty/Howto/Secure_Passwords
Base64 encoding is just obfuscated enough for our customers.