Dropwizard配置文件的安全性 [英] Dropwizard configuration file security

问题描述

一个配置文件（.yml）正在用于由Dropwizard（0.9.2-最新版本）开发的rest api。 api所需的大多数凭据（例如数据库密码秘密密钥等）都存储在配置文件中。

A configuration file (.yml) is being used for a rest api developed with Dropwizard (0.9.2 - latest release). Most of the credentials needed by the api such as database password secret key etc., are stored in the configuration file.

我们已经基于这些项实现了大多数事情在 dropwizard配置参考中找到的参考中提到。

We have implemented most of the things based on the items mentioned in the reference found at dropwizard configuration reference .

问题很明显。它的安全性如何（将这些信息以纯文本格式存储在配置文件中）？如果没有，执行此操作的正确方法是什么？

The question is clear. How secure is it (storing these information in a configuration file as plain text.)? If not, what is the proper way of doing this?

推荐答案

是的，这确实不安全。如果将配置文件提交到公共存储库或与此相关的任何存储库（版本控制），则情况更糟。我遵循的一种方法是维护具有所有敏感键&的配置（.yml）文件的本地副本（不提交至任何存储库）。详细信息等，并维护另一个示例配置文件，该文件屏蔽了敏感详细信息（一些虚拟字符串而不是实际值）。此示例配置可以提交到您的存储库，因为它已屏蔽了敏感细节。

Yes, it's not secure indeed. Even worse if the configuration file is committed to a public repository or for that matter any repository (version control). One way which I follow is to maintain a local copy (not to be committed to any repository) of the config (.yml) file which has all the sensitive keys & details etc and maintain another example config file which has the sensitive details masked (some dummy strings instead of actual values). This example config can be committed to your repository as it has sensitive details masked.

出于在本地或其他地方运行代码的所有目的，请使用本地配置文件。这样，您就不必冒险在存储库中公开敏感数据。但是，每次进行任何修改时，都要使示例配置与本地副本保持同步，这是一个开销。

For all purposes of running your code locally or elsewhere use the local config file. This way you don't risk it to exposing sensitive data on a repository. There is an overhead though in keeping your example config in sync with your local copy whenever you make any modifications.

这篇关于Dropwizard配置文件的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！