JBoss provides a simple mechanism to encrypt database passwords with blowfish. So the standalone.xml does not include our database passwords in plaintext anymore.
First you have to encrypt your password with org.picketbox.datasource.security.SecureIdentityLoginModule. This class includes a main method so you can run it with a single argument which has to be your plaintext password. The result will look like this:
Encoded password: 1ab234cf321cca
The class is included in jboss modules.
Then create a security-domain in your standalone.xml file:
<security-domain name="databaseSecure" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="username"/>
<module-option name="password" value="1ab234cf321cca"/>
</login-module>
</authentication>
</security-domain>
Or with cli:
/subsystem=security/security-domain=databaseSecure:add(cache-type=default)
/subsystem=security/security-domain=databaseSecure/authentication=classic:add(login-modules=[{"code"=>"org.picketbox.datasource.security.SecureIdentityLoginModule", "flag"=>"required", "module-options"=>[("username"=>"username"), ("password"=>"1ab234cf321cca")]}])
The last step is to replace the username+password part of your datasource with a security-domain element. This would look like this in its simplest way:
<datasource jndi-name="java:jboss/datasources/mypgDS" pool-name="MypgDS" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql:db1</connection-url>
<driver>postgresql</driver>
<security>
<security-domain>databaseSecure</security-domain>
</security>
</datasource>
After theses changes start your application server.
ATTENTION! The passphrase that is used for the Blowfish algorithm is hardcoded in the login module. To make this secure you have to change the password in that component. Change the source and recompile or create an extension and overwrite all necessary parts and add it as a new module.