How to store password as encrypted in properties file in Spring

Question

I am very new in Spring framework and I am using Spring framework to manage my database connections and so on. Applicaiton reads my db connection parameters from a property file. The thing I need is to store my connection password in property file as encrypted. Here is my datasource xml file

    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">

    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location">
            <value>file:${DBConfigFile}</value>
        </property>
    </bean>

    <bean id="myDataSource"   class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
        <property name="driverClass" value="${jdbc.driverClassName}" />
        <property name="jdbcUrl" value="${jdbc.url}" />
        <property name="user" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
        <property name="initialPoolSize"><value>3</value></property>
        <property name="minPoolSize"><value>3</value></property>
        <property name="maxPoolSize"><value>50</value></property>
        <property name="idleConnectionTestPeriod"><value>200</value></property>
        <property name="acquireIncrement"><value>1</value></property>
        <property name="maxStatements"><value>0</value></property>
        <property name="numHelperThreads"><value>3</value></property>
    </bean>

</beans>

I am thiking to write the password encrypted to property file and I am wondering if Spring can decrypt it with an algorithm automatically. Is it possible with configuration. Thank you in advance.

Answer 1

As far I known Spring does not support this ability, but some other project may be helpfull:

• Jasypt library offers support for encrypted application configuration (and also integrates with Spring). See details: http://www.jasypt.org/encrypting-configuration.html

• OWASP Project provides EncryptedProperties interfaces with DefaultEncryptedProperties and ReferenceEncryptedProperties implementations which may be used in your application. See also: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file

Answer 2

I am using spring 4 and jasypt 1.9. Jasypt documentation does not provide explicit support for spring 4. I could not locate class named EncryptablePropertyPlaceholderConfigurer with org.jasypt:jasypt:1.9.2 dependency either.

I wrote a simple static encryption utility java class (this uses jasypt API).

public class EncryptionUtil {
    static PooledPBEStringEncryptor encryptor = null;
    static {
        encryptor = new PooledPBEStringEncryptor();
        encryptor.setPoolSize(4); 
        //  There are various approaches to pull this configuration via system level properties. 
        encryptor.setPassword("parashar");
        encryptor.setAlgorithm("PBEWITHMD5ANDDES");
    }

    public static String encrypt(String input) {
        return encryptor.encrypt(input);
    }

    public static String decrypt(String encryptedMessage) {
        return encryptor.decrypt(encryptedMessage);
    }

}

I used this utility to encrypt the passwords I intended to keep in my property files.

I then simply used spring EL to decrypt the properties back in my spring config xml.

<property name="password" value="#{T(amit.parashar.EncryptionUtil).decrypt('${db.password}')}" />

EDIT : To answer on how to hide the encryption password :

Use system args while bringing up your java process. 

for e.g. : java -Dwhatismyencpawd="parashar"

and use it like

encryptor.setPassword(java.lang.System.getProperty("whatismyencpawd"));

This way only the app admin would know the password. This way password will be visible as part of ps command though on a UNIX box.

or You can configure and read from OS level environment variable as well.