Is there any way to get the users and passwords created in MongoDB from Java? I am trying to write an encryption utility which will then encrypt the usernames and passwords. I went through the Driver documentation for Java but didn't find anything relevant.
Thanks
Boris
User/password stored in collection of system.users per mongoDB database, just query it as query normal collection. But normally you can't get the original password because it has been converted.
Thanks... That works but as you said the password is stored in encrypted format. I am writing a script that will create the users and the roles and encrypt it and store it in a different collection. So I was thinking of implementing the encryption part as a separate utility, in Java, which can be run after the automated scripts (which are nothing but Mongo shell commands in Javascript) have run. Now i need to figure out a way to invoke the utility at the time of user creation i.e from Javascript or to implement the encryption in Javascript itself. I'll post the solution once i figure it out.
Thanks Again!!!!
Related
I have an APP (Android) and a service made in PHP.
I send information between them and now there is a security problem that I need to encrypt the data very much.
I need to encrypt in java and when I get to the service (PHP) I need to decrypt the content that has arrived.
Is there any native function in JAVA and PHP that already does this?
I found some examples in Google and here in stackoverflow, but nothing that I described in PHP
Ok, 1st if you consider encryption or decryption depends on any specific language or vice-versa, then It's not true. Any encryption/decryption is a concept which available in all languages and surely support by one another.
Now come to your question, as far as I can understand your question, you are looking for approach which encrypt data in JAVA and decrypt same in PHP. Please correct me if I m wrong.
Below I am sharing process/approach which may help you to design/setup your architecture about it.
1) Let's assume you are aming to implement MD5 encryption/description in your application.
2) In java you can achieve all publicly available encryption either inbuilt or by third party jars, just create utility class and create separate bean with required fields, then add required logic in utils class and pass same information to bean.
3) Now Pass that bean data to web-api which is written in PHP (method you prefer get/post), most of the time in PHP it is String only.
4) Inside PHP code pass that information in fashion which describe in below link:
Encp/Decp in php
And in the end just follow below answer, I guess it is bit close to what you are looking for.
Note: I use MD5 just to explain how to setup an architecture and kick-off for base, but in real environment avoid using MD5 as now n-number way available to bypass this one, best use some strong encpy/decpy technique/algorithm like triple DES, RSA, AES etc.
Java and Php relation for encp/decpt
I'm building a basic webapp that takes in a user input and returns an encrypted password.
Problem is, currently the SecretKey I am using is stored in the src for the Java class. To me, it seems this is risky practice so I'm trying to find a way to safely store my SecretKey.
Doing some research, I found the Java KeyStore class but I'm not entirely sure if this is what I need. Also, if this is what I need, can you guys point me in the direction of how to implement it, and more importantly, how it works?
Thanks
Edit: From doing a lot of thinking/reading it seems like there really isn't a great solution and really a solution isn't needed so long as your main server is secure, which mine will be, so it's not an issue.
Thank you for all the replies! :)
Passwords should be stored using one way hash functions that way your system avoids this problem. See https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
If you are talking about your encryption key, then there is no secure way to store that key safely in JavaScript. I guess the storage you are talking about its the browsers local storage, which is nothing more then a persistent cookie on browser side.
Everybody that uses the chrome WebInspector or Firefox Firebug can easly read this store for any page he is visiting. Furthermore, you would have to save it in this store by JavaScript and as everybody can read your source code in the browser, its even more obvious.
The only possibilty to do such things safely is Server-Sided, like with PHP for example. If you though want the feeling of interactive behaviour, you can use AJAX on clientside to interact with the backend.
EDIT:
Ah, I think I got you wrong as you are talking about Java in Backend? If yes I think there is no Problem when u have the key hardcoded in your compiled sources??? If you want to store it somewhere else and are afraid someone uses it, you could salt and hash it in your application before you use it for key generation (of course the salt is hardcoded then)?
I am making a math game in Java and I want to create the ability for the user to create a local account (or log in to an existing one), which would have a unique properties file. How would I do this?
You have a couple of options to look into. Java comes with the necessary libraries with which you can create, open, read and write to files. Using the File class, you could create an account file, for instance "User1.properties", and save the information in an easy to parse format. If you're looking to go one further, you can look into using XML or JSON, which are commonly used formats for saving information in this way. Here's some helpful links to get you started.
Using files in Java
Using XML in Java
Using JSON in Java
Another option you have available is to use a database in a similar fashion to websites. The type of database you use is up to you, although MySQL is an example of one commonly used database. Once again, here is a link to help you get started with MySQL in Java.
Regardless of what you use, you will need to take the username and password provided (or whatever combination of login credentials you would like your system to use), and compare them with those stored in your file or database.
This question already has answers here:
Handling passwords used for auth in source code
(7 answers)
Closed 7 years ago.
I'm developing an application which read some data from a db.
The connection to the db is performed through standard login/password mechanism.
The problem is: how to store the db password?
If I store it as a class member, it can be easily retrieved through a decompiling operation.
I think that obfuscation doesn't solve the problem, since a string password can be found easily also in obfuscated code .
Anyone has suggestions?
Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).
See this wonderful answer for more detailed explanation : By William Brendel
For a small and simple app where you don't want to involve a lot of other security measures, this should probably be a configuration option. When you deploy your application, it could read a configuration file where the database connection properties are specified. This means that application per se doesn't know the password, but you need to gain access to the server to find the password.
Some datas should be configurable. Just now as you told, it may be a username and password or some common datas; Normally what we do is creating a property-configuration page. What I used to do is use an XML file, keep your password/username in some encrypted format. You can easily parse an XML to retrieve your password for connectivity.
This ensures the reliability that your passwords can be changed at any time. This refers not to passwords only. but any data that you use, which is to be configured from time to time.
I have two web apps in one domain. One is written by ruby another is by java. And my rails app is using db session. So there have a "sessions" table in my database. What I want to do is reading the session info from this table in java.
Here is my problem: Rails' sessions table is encrypted. So I can not read it directly from JDBC.
I don't want to write a decrypt code to convert it. Because it's not a good idea to split one logic both in java and rails. So I hope to find a way to cancel the encrypt session data behavior in rails. Does anyone know how to wirte it in rails config file?
Thanks!
The encryption scheme isn't going to change in the Rails code, so it's not a horrible thing to implement the decryption in Java. If you want to take this route, refer to this question. However, if you really want to prevent encryption, it's not well documented, but in config/environment.rb it would probably suffice to make sure that the hash in config.action_controller.session does not contain an entry with the key :secret. Make sure you secure your database with other means though!