I created a maven project which connects to a database . The problem I am facing is I have hardcoded the db username and password but I according to the requirement it should be dynamically read from a .txt file in local path.
Is there any possible way for this solution or any other strategy that I should follow.
Thanks in advance
The java.util.Properties class has several load-methods that is easy to use.
Related
I have stored the password of MongoDB in spring.data.mongodb.password property in application.yml file in my spring boot project. I need to encrypt it so that it is not directly accessed by anyone. I do not intend to do any code changes for it but want to achieve it by some kind of spring boot configuration.
The properties file should never be accessible by anyone (who uses of course the app)... Given that for granted, then I guess you mean to the other people working on your project, in that case I guess a possible solution would be to use BCEncryptor to encode a password and store it either in the properties file or on a side DB and then decrypt it at the launch of the application, through a configuration class or XML.
In any other case you could create a side user in MongoDB giving that use only the permissions you want.
But still, I wouldn't really see the use of it, because if someone have access to the backend of your application...
The issue got resolved. The problem was with the jasypt version. I was using jasypt-3.0.0 and it worked on 2.0.0. The full steps of configuring jasypt in the project can be found here :
https://medium.com/#mail2rajeevshukla/hiding-encrypting-database-password-in-the-application-properties-34d59fe104eb
I have passed the key in application.yml itself as the 3 mentioned methods were not working in my case.
jasypt:
encryptor:
password: secretkey
I got a requirement in Spring boot. I a nearly beginner so kindly ignore my mistake.
Main requirement is I have to encrypt all application.properties data so even someone get access, not be able to read. I don't know whether it is possible or not, So let me know that also.
Why want to do this - I Application.properties hold lots of credentials for DB and Data for other service and some how any hackers get's the credentials then he/she will get other data too of DB and API keys. So doing it for security purpose. It is some finance project.
Requirement: I have Encrypted application.properties file present on S3 Bucket and have to download from there and decrypt the file at the starting of project and the project will load the data from that application.properties file.
I broke down the problem in download and Encryption/Decryption:
So I know how to download file in Maven from URL in specific folder. - Done
How to Decrypt application.properties file and use it to load Credential. - Answer Looking for!
I got the ways by using Jasypt Library in Spring boot but that encrypt the value only.
jasypt.encryptor.password=pass
encrypted.property=ENC(S3oSEyuNwaFBrwfoaNhqvauLAui9F+L9)
And in Any Java file I get the value:
#Value("${encrypted.property}")
private String property;
But that is not hiding any data as If i get the Jasypt then i can decrypt data on Online websites also. And it is also not hiding the keys.
So didn't find it working according to my requirement. So kindly help me in this problem.
I've been searching for a way to avoid hard coding my database credentials into my code base (mainly written in Java), but I haven't found many solutions. I read this post where they said a one way hash could be the answer. Is there another way of securely connecting to a database without running into the risk of someone decompiling your code?
Just to clarify, I'm not looking for code, rather a nudge in the right direction.
If you can used spring boot application, then you can configure using cloud config method. I have added some postgresql db connection details for your further reference. Please refer following link for spring boot cloud config. spring_cloud
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://{{db_url}}:5432/{{db_name}}
spring.datasource.username=postgres
spring.datasource.password=
spring.datasource.maxActive=3
spring.datasource.maxIdle=3
spring.datasource.minIdle=2
spring.datasource.initialSize=2
spring.datasource.removeAbandoned=true
spring.datasource.tomcat.max-wait=10000
spring.datasource.tomcat.max-active=3
spring.datasource.tomcat.test-on-borrow=true
You could load a config file in your code. Define some kind of file, such as JSON or XML, and define all of your configurations in there. You could point to the file as a command line argument, or just hardcode the file path.
Here's a post talking about parsing JSON config in Java:
How to read json file into java with simple JSON library
You can refer to these post. They are basically just saying to either hash, store it in a property file or use an API. Some of the posts are not merely on Java but you can get ideas from them.
How can I avoid hardcoding the database connection password?
https://security.stackexchange.com/questions/36076/how-to-avoid-scripts-with-hardcoded-password
https://www.codeproject.com/Articles/1087423/Simplest-Way-to-Avoid-Hardcoding-of-the-Confidenti
The solution in our team, database as a service,other application use it's API to get database credentials,the request contains simple credentials like application name.
You have several options to avoid hard code values in your source code:
Properties using Advanced Platforms
Properties from Environment variables
Properties from SCM
Properties from File System
More details here:
https://stackoverflow.com/a/51268633/3957754
I am trying my hands on spring boot application. I planned to use HSQLDB for the database.
Purpose: Create User Table, Insert, Update, Delete data
I created User Entity, User dao, and saved user data in the user entity.
Everything is working fine.
What I want is to see the data in the table as we can see it for MySQL.
I tried to use razorSQL, Dbeaver but I can't see tables.
application.properties
spring.jpa.hibernate.ddl-auto: update
spring.jpa.hibernate.dialect=org.hibernate.dialect.HSQLDialect
spring.jpa.database: HSQL
spring.jpa.show-sql: true
spring.hsql.console.enabled: true
spring.datasource.url=jdbc:hsqldb:file:data/mydb
spring.datasource.username=sa
spring.datasource.password=
spring.datasource.driverClassName=org.hsqldb.jdbcDriver
I can see the User table data in the browser:
Files created in the data folder:
I have googled a lot but nothing helps.
Questions:
Can we see the data stored in HSQLDB(when running) as we can see for the MySQL in PHPMyAdmin?
In which file data is stored, I have seen that in the script file it saves all the statements (insert, delete etc). Do we have a separate file to store the data?
what is the use of tmp folder created?
Let me know if you need more details. I need to be clear on this. It has taken a lot of time still I am not satisfied
I am able to visualize the data of hsqldb with the help of hsqldb.jar
Assuming
Database folder named "data" is created which contains files with mydb.log, mydb.properties, mydb.script, mydb.tmp
Steps to visualize when using it as fileDb.
1. Download HSQLDB jar.
2. Extract in the folder where we have "data" folder(it contains database files) database files generated ("data" folder).
3. Now we are in the folder, where database folder is created. Run this command "java -cp hsqldb-2.4.1/hsqldb/lib/hsqldb.jar org.hsqldb.util.DatabaseManagerSwing" here "hsqldb-2.4.1" is the downloaded hsqldb folder. It will open up a UI.
4. In this UI, make a new connection, select type as "HSQL Database Engine Standalone" put URL as "jdbc:hsqldb:file:data/mydb" (here data is the folder and mydb is the DB name), give user and password as defined in application properties, then say ok. It should connect. (Maken sure the path to the file DB is relative to the folder from where we opened the UI)
Let me know in case anyone is getting errors
You can run HSQLDB as a Server and connect to it simultaneously from your Spring app and from a database utility such as dBeaver. The connection URL will look like jdbc:hsqldb:hsql://localhost/mydb. This is very similar to the way MySQL is used.
Detailed coverage is here: http://hsqldb.org/doc/guide/listeners-chapt.html but see the introduction to the Guide first. You can also consult various step-by-step HSQLDB tutorials on the web.
I have Java app that has remote db credentials in hibernate config file in JAR file. I want to encrypt password that if "simple" user would search for the password in would be not human readable.
I have seen Jasypt examples on the web, but there is Jasypt only for hibernate 4. There is no for hubernate 5.
Can I use Jasypt for hibernate 4 with hibernate 5?
Or maybe there is another solution? I know that placing login and password in JAR file is not safe, but thats the way my app is created.
Thanks in advance.
Place the password(s) in an external .properties file. To use the application in test-setup, you can place a properties file inside your project with fake/test credentials to a local database. For production you can place the secrets on the specific machine that needs to connect to the database.
Never put things you want to keep secret in the jar, source or repository.