Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to store password as encrypted in properties file in Spring

I am very new in Spring framework and I am using Spring framework to manage my database connections and so on. Applicaiton reads my db connection parameters from a property file. The thing I need is to store my connection password in property file as encrypted. Here is my datasource xml file

    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">

    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location">
            <value>file:${DBConfigFile}</value>
        </property>
    </bean>

    <bean id="myDataSource"   class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
        <property name="driverClass" value="${jdbc.driverClassName}" />
        <property name="jdbcUrl" value="${jdbc.url}" />
        <property name="user" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
        <property name="initialPoolSize"><value>3</value></property>
        <property name="minPoolSize"><value>3</value></property>
        <property name="maxPoolSize"><value>50</value></property>
        <property name="idleConnectionTestPeriod"><value>200</value></property>
        <property name="acquireIncrement"><value>1</value></property>
        <property name="maxStatements"><value>0</value></property>
        <property name="numHelperThreads"><value>3</value></property>
    </bean>

</beans>

I am thiking to write the password encrypted to property file and I am wondering if Spring can decrypt it with an algorithm automatically. Is it possible with configuration. Thank you in advance.

like image 703
tace Avatar asked Jul 25 '12 08:07

tace


People also ask

How password should be stored in spring?

Instead of using just the password as input to the hash function, random bytes (known as salt) would be generated for every users' password. The salt and the user's password would be ran through the hash function which produced a unique hash. The salt would be stored alongside the user's password in clear text.


2 Answers

As far I known Spring does not support this ability, but some other project may be helpfull:

  • Jasypt library offers support for encrypted application configuration (and also integrates with Spring). See details: http://www.jasypt.org/encrypting-configuration.html

  • OWASP Project provides EncryptedProperties interfaces with DefaultEncryptedProperties and ReferenceEncryptedProperties implementations which may be used in your application. See also: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file

like image 50
Slava Semushin Avatar answered Sep 26 '22 20:09

Slava Semushin


I am using spring 4 and jasypt 1.9. Jasypt documentation does not provide explicit support for spring 4. I could not locate class named EncryptablePropertyPlaceholderConfigurer with org.jasypt:jasypt:1.9.2 dependency either.

I wrote a simple static encryption utility java class (this uses jasypt API).

public class EncryptionUtil {
    static PooledPBEStringEncryptor encryptor = null;
    static {
        encryptor = new PooledPBEStringEncryptor();
        encryptor.setPoolSize(4); 
        //  There are various approaches to pull this configuration via system level properties. 
        encryptor.setPassword("parashar");
        encryptor.setAlgorithm("PBEWITHMD5ANDDES");
    }

    public static String encrypt(String input) {
        return encryptor.encrypt(input);
    }

    public static String decrypt(String encryptedMessage) {
        return encryptor.decrypt(encryptedMessage);
    }

}

I used this utility to encrypt the passwords I intended to keep in my property files.

I then simply used spring EL to decrypt the properties back in my spring config xml.

<property name="password" value="#{T(amit.parashar.EncryptionUtil).decrypt('${db.password}')}" />

EDIT : To answer on how to hide the encryption password :

Use system args while bringing up your java process. 

for e.g. : java -Dwhatismyencpawd="parashar"

and use it like

encryptor.setPassword(java.lang.System.getProperty("whatismyencpawd"));

This way only the app admin would know the password. This way password will be visible as part of ps command though on a UNIX box.

or You can configure and read from OS level environment variable as well.

like image 36
Amit Parashar Avatar answered Sep 24 '22 20:09

Amit Parashar