The JBoss EAP5 Security Guide outlines numerous ways of masking/encrypting passwords:

16.1 Password masking
Uses jboss-as/bin/password_tool.sh via a shell command to create and manage passwords

Uses annotations to inject passwords into config files:
<annotation>@org.jboss.security.integration.password.Password(securityDomain=MASK_NAME,
methodName=setPROPERTY_NAME)</annotation>

17.1 Secured Identity Login Module
Uses org.jboss.resource.security.SecureIdentityLoginModule via a shell command to create encrypted passwords
Uses an application-policy to inject the password

17.2 Configured Identity with PBE
Uses org.jboss.security.plugins.PBEUtils via a shell command to create encrypted passwords
Uses an opaque master password (no details on how to create this though)
Uses a JaasSecurityDomain and an application-policy to inject the password

18 Encrypted Tomcat keystore password
Uses org.jboss.security.plugins.FilePassword via a shell command to encrypt the password
Uses a JaasSecurityDomain to inject the password

19.1 LdapExtLoginModule with JaasSecurityDomain
Uses org.jboss.security.plugins.JaasSecurityDomain via JMX to encode a password
Uses a JaasSecurityDomain to inject the password

Can we create a common approach that can be taken for all of the following:

• JMS Sucker password
• Data source passwords
• Tomcat SSL keystore password
• ldap bind credentials
• Any other SSL keystore passwords (i.e EJB3 RMI & SSL)