Encrypting db password in application.conf

Question

Play framework [I'm using v1.2.3] does not support db password encryption stored in the application.conf. This is stored as a plain-text file. DBPlugin reads this property and creates a Connection pool.

The requirement is to encrypt this password - for e.g. using Jasypt. Some enterprises enforce this as a security measure.

Has anybody tried doing something like this?

Since DBPlugin loads on ApplicationStart, there is no way to hack it. That leaves to write a custom plugin and onConfigurationRead set a new value for the db.password of application.conf property.

Any suggestions?

Answer 1

Finally I fixed this by writing a Play Plugin. Writing a Play plugin is also very easy. Here is the sample code:

package plugin;

import java.util.Properties;

import org.jasypt.util.text.StrongTextEncryptor;

import play.Play;
import play.PlayPlugin;

public class DBPasswordInject extends PlayPlugin {

    @Override
    public void onConfigurationRead() {
        StrongTextEncryptor strongTextEncryptor = new StrongTextEncryptor();
        strongTextEncryptor.setPassword("$Look##$2");// this password has been used to encrypt

        String encryptedPassword = Play.configuration.getProperty("db.pass");
        String decrypted = strongTextEncryptor.decrypt(encryptedPassword);
        Play.configuration.setProperty("db.pass", decrypted); //override

        super.onConfigurationRead();
    }

}

The only downside is that I was not able to use org.jasypt.util.password.StrongPasswordEncryptor - because there is no decrypt method.

Answer 2

Well the problem is which password should be used to encrypt the password? If you use a default password it's not safe too. If you put it into the configuration file you have a recursive problem. The only solution I see is to use your own plugin where the password is stored and change the values in the application properties. Then the password can be stored crytped with no problems. At least in Play1.x.