将敏感的配置变量外部化到Config.groovy之外的.properties中是否在Grails中提供安全优势？ [英] Does externalizing sensitive config variables into a .properties outside of Config.groovy provide a security advantage in Grails?

问题描述

据我所知，在Grails默认情况下，配置变量存储在Config.groovy中，一旦部署，属性将包含在战争中。很明显，如果您需要在不重新部署应用程序的情况下更改它们，则会导致问题。但是，我刚刚阅读了Grails AWS Plugin文档中的以下内容：

根据Amazon的建议，您可以使用.properties文件处理您的秘密和访问密钥这个插件。

...

有时，您仍然无法访问文件系统，但不希望将您的凭证全部存放在您的配置文件中

（http://blanq.github.com/grails -aws / 1.2.12.1 / index.html）

在Config.groovy之外存储信用是否有某种安全优势？也许我错过了一些东西：/ b> 解决方案

有几个具体原因，您不希望将安全信息直接包含WAR。

1. 您可能正在与外部开发人员或开发人员合作，他们不应直接访问某些安全信息。 b $ b
2. 您可能正在处理只有少数人应该看到的敏感数据，甚至可能不是您自己。


3. 您可能提前不知道凭据。在其他人提供资源的环境中，情况往往是这样。


4. 您可能想要构建单个WAR，并动态切换凭据而不重新编译整个应用程序，然后重新上传内容。

所以，它提供了一定程度的安全性，但在其他情况下也有很多便利。 b $ b

I understand that in Grails by default configuration vars are stored in Config.groovy and once deployed the properties are contained within the war. Obviously this would cause issues if you needed to change them without redeploying the app. However, I just read the following in the Grails AWS Plugin docs:

"As recommended by Amazon, you can use a .properties file to handle your secret and access keys for this plugin."

...

"Sometimes, you still don't have access to filesystem, but don't want to store your credentials wide open in your configuration file"

(http://blanq.github.com/grails-aws/1.2.12.1/index.html)

Is there some kind of security advantage to storing the creds outside of Config.groovy? Perhaps I'm missing something :/

解决方案

There are several specific reasons you don't want to include security information directly within the WAR.

1. You might be working with outside developers or developers who shouldn't have direct access to certain secure information.
2. You might be working with sensitive data that only a select few should see, possibly not even yourself.
3. You might not know the credentials ahead of time. This is often the case in an environment where someone else provisions resources.
4. You might want to build a single WAR, and dynamically switch the credentials without recompiling the entire application, and then re-uploading the content.

So, it provides some level of security, but also a lot of convenience in other situations.

这篇关于将敏感的配置变量外部化到Config.groovy之外的.properties中是否在Grails中提供安全优势？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！