在属性文件中保护密码 [英] Securing a password in a properties file
问题描述
我有一个连接到数据库的 Java 应用程序.
数据库的用户名和密码存储在属性文件中.
避免在属性文件中以明文形式存储密码同时仍保留让用户更改密码的选项的常见做法是什么?
这里的主要动机是防止有人在管理员编辑属性文件时查看管理员的肩膀并看到密码.
我在
Jasypt 提供 org.jasypt.properties.EncryptableProperties 类,用于加载、管理和透明解密 .properties 文件中的加密值,允许在同一文件中混合加密和未加密的值.
http://www.jasypt.org/encrypting-configuration.html
<块引用>通过使用 org.jasypt.properties.EncryptableProperties 对象,应用程序将能够正确读取和使用 .properties 文件像这样:
datasource.driver=com.mysql.jdbc.Driverdatasource.url=jdbc:mysql://localhost/reportsdbdatasource.username=reportsUser数据源.密码=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)<块引用>
请注意数据库密码是加密的(实际上,任何其他属性都可以也可以加密,是否与数据库配置有关).
我们如何读取这个值?像这样:
/** 首先,创建(或要求其他组件)适当的加密器* 解密我们的 .properties 文件中的值.*/StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();encryptor.setPassword("jasypt");//可以从网络获取,环境变量.../** 创建我们的 EncryptableProperties 对象并以通常的方式加载它.*/属性道具 = 新的 EncryptableProperties(encryptor);props.load(new FileInputStream("/path/to/my/configuration.properties"));/** 要获得未加密的值,我们只需使用 getProperty 即可获得它...*/String datasourceUsername = props.getProperty("datasource.username");/** ...为了获得加密值,我们做的完全一样.解密会* 在幕后透明地执行.*/String datasourcePassword = props.getProperty("datasource.password");//从现在开始,datasourcePassword 等于 "reports_passwd"...I have a java application that connects to a database.
The user name and password for the database are stored in a properties file.
What is the common practice to avoid storing the password in cleartext in the properties file while still retaining the option to let the user change it?
The main motivation here is to prevent someone looking over the admin's shoulder and seeing the password while the admin is editing the properties file.
I read here that there's a built in way to do it in C#.
Knowing java, I don't expect to find a built in solution but I'd like to hear what other people are doing.
If I don't find any good choice then I am probably going to encrypt it with a constant password that will be kept in the code. But I'd hate to do it this way because it feels wrong.
Edit Dec 12th 2012 Looks like there is no magic and I must store the password in the code or something similar. At the end we implemented something very similar to what Jasypt that was mentioned in one of the answers does. So I'm accepting the Jasypt answer because it is the closest thing to a definite answer.
Jasypt provides the org.jasypt.properties.EncryptableProperties class for loading, managing and transparently decrypting encrypted values in .properties files, allowing the mix of both encrypted and not-encrypted values in the same file.
http://www.jasypt.org/encrypting-configuration.html
By using an org.jasypt.properties.EncryptableProperties object, an application would be able to correctly read and use a .properties file like this:
datasource.driver=com.mysql.jdbc.Driver
datasource.url=jdbc:mysql://localhost/reportsdb
datasource.username=reportsUser
datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)
Note that the database password is encrypted (in fact, any other property could also be encrypted, be it related with database configuration or not).
How do we read this value? like this:
/*
* First, create (or ask some other component for) the adequate encryptor for
* decrypting the values in our .properties file.
*/
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("jasypt"); // could be got from web, env variable...
/*
* Create our EncryptableProperties object and load it the usual way.
*/
Properties props = new EncryptableProperties(encryptor);
props.load(new FileInputStream("/path/to/my/configuration.properties"));
/*
* To get a non-encrypted value, we just get it with getProperty...
*/
String datasourceUsername = props.getProperty("datasource.username");
/*
* ...and to get an encrypted value, we do exactly the same. Decryption will
* be transparently performed behind the scenes.
*/
String datasourcePassword = props.getProperty("datasource.password");
// From now on, datasourcePassword equals "reports_passwd"...
这篇关于在属性文件中保护密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
