I've been searching for a way to avoid hard coding my database credentials into my code base (mainly written in Java), but I haven't found many solutions. I read this post where they said a one way hash could be the answer. Is there another way of securely connecting to a database without running into the risk of someone decompiling your code?
Just to clarify, I'm not looking for code, rather a nudge in the right direction.
If you can used spring boot application, then you can configure using cloud config method. I have added some postgresql db connection details for your further reference. Please refer following link for spring boot cloud config. spring_cloud
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://{{db_url}}:5432/{{db_name}}
spring.datasource.username=postgres
spring.datasource.password=
spring.datasource.maxActive=3
spring.datasource.maxIdle=3
spring.datasource.minIdle=2
spring.datasource.initialSize=2
spring.datasource.removeAbandoned=true
spring.datasource.tomcat.max-wait=10000
spring.datasource.tomcat.max-active=3
spring.datasource.tomcat.test-on-borrow=true
You could load a config file in your code. Define some kind of file, such as JSON or XML, and define all of your configurations in there. You could point to the file as a command line argument, or just hardcode the file path.
Here's a post talking about parsing JSON config in Java:
How to read json file into java with simple JSON library
You can refer to these post. They are basically just saying to either hash, store it in a property file or use an API. Some of the posts are not merely on Java but you can get ideas from them.
How can I avoid hardcoding the database connection password?
https://security.stackexchange.com/questions/36076/how-to-avoid-scripts-with-hardcoded-password
https://www.codeproject.com/Articles/1087423/Simplest-Way-to-Avoid-Hardcoding-of-the-Confidenti
The solution in our team, database as a service,other application use it's API to get database credentials,the request contains simple credentials like application name.
You have several options to avoid hard code values in your source code:
Properties using Advanced Platforms
Properties from Environment variables
Properties from SCM
Properties from File System
More details here:
https://stackoverflow.com/a/51268633/3957754
Related
I created a maven project which connects to a database . The problem I am facing is I have hardcoded the db username and password but I according to the requirement it should be dynamically read from a .txt file in local path.
Is there any possible way for this solution or any other strategy that I should follow.
Thanks in advance
The java.util.Properties class has several load-methods that is easy to use.
everyone!
this is going to be my first time pushing a newly developed Spring Boot App and I was wondering if there is a way to protect passwords and other sensitive information written in the application.properties file.
Assuming we have the following lines:
# PostgreSQL connection settings
spring.datasource.jdbc-url=jdbc:postgresql://localhost:5432/bdreminder
spring.datasource.username=username
spring.datasource.password=password
The source code is to be first stored on GitHub and having the credentials stored in plain text does not seem to be a good idea.
So, I could probably add the file to the .gitignore one; I could set some environment variables on the host but how would it populate the .properties file afterward? Also, this seems quite cumbersome in terms of the scaling later on.
So, basically, I am trying to see how it is done in a real-life :)
Please, help :)
Simplest option is to create a profile specific application.properties file and activate that profile. So for example create application-private.properties and activate profile private. Of course you have to watch out to not commit this file.
Alternatively, and probably a safer option, is to define a file outside your project and import it in your application.properties with following line:
spring.config.import=file:../path/to/your/external.properties
Spring Boot has extensive support for external configuration. The usual approach is to use one of environment variables, configuration provided by a platform such as Kubernetes, or a specialized configuration system through Spring Cloud Config; these all keep secrets (or just environment-specific information) entirely outside of the code. They also have the advantages of providing a common style of configuration for other applications that do not use Spring Boot.
I have stored the password of MongoDB in spring.data.mongodb.password property in application.yml file in my spring boot project. I need to encrypt it so that it is not directly accessed by anyone. I do not intend to do any code changes for it but want to achieve it by some kind of spring boot configuration.
The properties file should never be accessible by anyone (who uses of course the app)... Given that for granted, then I guess you mean to the other people working on your project, in that case I guess a possible solution would be to use BCEncryptor to encode a password and store it either in the properties file or on a side DB and then decrypt it at the launch of the application, through a configuration class or XML.
In any other case you could create a side user in MongoDB giving that use only the permissions you want.
But still, I wouldn't really see the use of it, because if someone have access to the backend of your application...
The issue got resolved. The problem was with the jasypt version. I was using jasypt-3.0.0 and it worked on 2.0.0. The full steps of configuring jasypt in the project can be found here :
https://medium.com/#mail2rajeevshukla/hiding-encrypting-database-password-in-the-application-properties-34d59fe104eb
I have passed the key in application.yml itself as the 3 mentioned methods were not working in my case.
jasypt:
encryptor:
password: secretkey
I have a finalized database in SQL SERVER containing 50+ tables in it and needed to connect it with Dropwizard Code.
I am new to JAVA so my conception about Migrations.xml is it is used to create the tables in database or if any change in database is needed it will be updated through migrations.xml.
So if i don't need any change in database (as told earlier it is finalized).
Can i skip this migrations.xml file?
Need some experts advice please.
If you are handling your database changes elsewhere, then you have no need for any migration xml files within your dropwizard project. It's an optional module, you don't need to use it. You don't even need to include the dropwizard-migrations dependency if you don't want to include database updates in your dropwizard project. You can still connect to your database fine within dropwizard. The docs provide examples using modules dropwizard-jdbi and dropwizard-hibernate.
To connect to your database, add the appropriate code the your java configuration file and yml config as explained in the docs.
jdbi
http://www.dropwizard.io/0.9.2/docs/manual/jdbi.html
hibernate
http://www.dropwizard.io/0.9.2/docs/manual/hibernate.html
I am building a stand alone java application using Spring JPA frame
work. I am able to access the DB in below scenario: if I give the
DB details in application.properties file as
spring.datasource.url=******** spring.datasource.username=******
spring.datasource.password=******
then it's working properly.
but I have to create two DB connections in the same application so,
I changes the names as below
spring.Datasource1.url=********* spring.Datasource1.username=******
spring.Datasource1.password
spring.Datasource2.url=************ spring.Datasource2.username=****
spring.Datasource2.password=*****
then it's not working.
Can you please provide the solution for it?
I have uploaded my code base in below location.
https://github.com/nagtej/MultipleDataSource
This might be helpful to you http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-two-datasources
Also, to connect to multiple data sources you would need to manually configure a DataSource, EntityManagerFactory and JpaTransactionManager.
For this, you can have a look at code placed at https://github.com/spring-projects/spring-data-examples/tree/master/jpa/multiple-datasources
Another good example for this is shared at http://xantorohara.blogspot.com.au/2013/11/spring-boot-jdbc-with-multiple.html