Here I found a simple vertx project that uses apache-shiro for auth.
Here the user informations are stored inside src/main/resources/vertx-users.properties file like this:
user.tim = sausages,morris_dancer,developer,vtoons
role.developer=do_actual_work
role.vtoons=place_order
Is this a good approach to store user name and password in a file? Can we store these information in encrypted format or anywhere in a database. Can apache-shiro access these info from a db?
Please provide if you have some sample projects
Better use LDAP or DB
use blog
http://meri-stuff.blogspot.in/2011/04/apache-shiro-part-2-realms-database-and.html
for reference
Also this stackflow post Configure shiro.ini for JDBC connection
Related
I have stored the password of MongoDB in spring.data.mongodb.password property in application.yml file in my spring boot project. I need to encrypt it so that it is not directly accessed by anyone. I do not intend to do any code changes for it but want to achieve it by some kind of spring boot configuration.
The properties file should never be accessible by anyone (who uses of course the app)... Given that for granted, then I guess you mean to the other people working on your project, in that case I guess a possible solution would be to use BCEncryptor to encode a password and store it either in the properties file or on a side DB and then decrypt it at the launch of the application, through a configuration class or XML.
In any other case you could create a side user in MongoDB giving that use only the permissions you want.
But still, I wouldn't really see the use of it, because if someone have access to the backend of your application...
The issue got resolved. The problem was with the jasypt version. I was using jasypt-3.0.0 and it worked on 2.0.0. The full steps of configuring jasypt in the project can be found here :
https://medium.com/#mail2rajeevshukla/hiding-encrypting-database-password-in-the-application-properties-34d59fe104eb
I have passed the key in application.yml itself as the 3 mentioned methods were not working in my case.
jasypt:
encryptor:
password: secretkey
I've been searching for a way to avoid hard coding my database credentials into my code base (mainly written in Java), but I haven't found many solutions. I read this post where they said a one way hash could be the answer. Is there another way of securely connecting to a database without running into the risk of someone decompiling your code?
Just to clarify, I'm not looking for code, rather a nudge in the right direction.
If you can used spring boot application, then you can configure using cloud config method. I have added some postgresql db connection details for your further reference. Please refer following link for spring boot cloud config. spring_cloud
spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://{{db_url}}:5432/{{db_name}}
spring.datasource.username=postgres
spring.datasource.password=
spring.datasource.maxActive=3
spring.datasource.maxIdle=3
spring.datasource.minIdle=2
spring.datasource.initialSize=2
spring.datasource.removeAbandoned=true
spring.datasource.tomcat.max-wait=10000
spring.datasource.tomcat.max-active=3
spring.datasource.tomcat.test-on-borrow=true
You could load a config file in your code. Define some kind of file, such as JSON or XML, and define all of your configurations in there. You could point to the file as a command line argument, or just hardcode the file path.
Here's a post talking about parsing JSON config in Java:
How to read json file into java with simple JSON library
You can refer to these post. They are basically just saying to either hash, store it in a property file or use an API. Some of the posts are not merely on Java but you can get ideas from them.
How can I avoid hardcoding the database connection password?
https://security.stackexchange.com/questions/36076/how-to-avoid-scripts-with-hardcoded-password
https://www.codeproject.com/Articles/1087423/Simplest-Way-to-Avoid-Hardcoding-of-the-Confidenti
The solution in our team, database as a service,other application use it's API to get database credentials,the request contains simple credentials like application name.
You have several options to avoid hard code values in your source code:
Properties using Advanced Platforms
Properties from Environment variables
Properties from SCM
Properties from File System
More details here:
https://stackoverflow.com/a/51268633/3957754
I have Java app that has remote db credentials in hibernate config file in JAR file. I want to encrypt password that if "simple" user would search for the password in would be not human readable.
I have seen Jasypt examples on the web, but there is Jasypt only for hibernate 4. There is no for hubernate 5.
Can I use Jasypt for hibernate 4 with hibernate 5?
Or maybe there is another solution? I know that placing login and password in JAR file is not safe, but thats the way my app is created.
Thanks in advance.
Place the password(s) in an external .properties file. To use the application in test-setup, you can place a properties file inside your project with fake/test credentials to a local database. For production you can place the secrets on the specific machine that needs to connect to the database.
Never put things you want to keep secret in the jar, source or repository.
I have configured my test environment using WebSphere 8.5.5.5 and Active Directory for authorization.
I would like to get access to more user data.
For now I have access only to user "id" using java bean with:
String userName = facesContext.getExternalContext().getRemoteUser();
That's okay, but I would like to get more information, for example email adress, but I can't find any other methods.
Is there a way to do it?
That ExternalContext in this case is only the authentication context, and only contains things like the auth token and principal.
To get more information from Active Directory you need to query as an LDAP source.
Here's a big blog post about how to do that.
I'm about to begin my first project with java
Let me tell how I used to handle these things...
So far now, I've been workin on asp with a com+ componente made with VB6.
The component is registered via the com+ administration console with a domain user, something lile my_company_domain\my_app_account
The components reads the configuration from an udl file, configured to access the DB with integrated security.
I invoke the componente from asp with server.createobject, the component runs with the specified domain account, and so every DB access runs with this account...
What I like from this approach is the following:
use of integrated security - no sql users
no need to recompile anything to change db (edit udl file) or domain account (edit com+ component configuration)
pooled connections (as I'm always using the same connection string)
production staff can alter the configuration without leaving the account password on a text file
...
well, what would be the best way to achieve something like this on java???
I've already saw something about Commons-DBCP, is it possible to use integrated security with this???
thanks a lot...
--
added in response to a comment
by integrated security I mean I only have to configure a domain account, and that's it, I use no sql server accounts, just the account under which the VB6 com+ component is run.
Ok, maybe that's not the appropiate term, but I hope you get the idea...
Configure DataSource & ConnectionPool on app-server side.
Obtain DataSource from JNDI environment from your web-application.