I wish to publish my app with open source as example for users. The problem is that I have class that downloads from ftp, and there is password and username written in the class. I wish to hide this information from user. I made an external jar file but with site like: http://jd.benow.ca/ that is Java Decompiler it can be easily opened, how can I hide and make it hard to hack to the username and password that written in one of my classes?
Creates a file where you'll register your username and password. Then you just have to never commit this file in your repository and not share it.
This topic is very similar to yours, maybe the answer will interest you: How can I protect MySQL username and password from decompiling?
In case of an open source project, use web service for assigning username and password to the user who is using project with there application. To implement this, you need to implement some SOAP base approach with axis-2 in java, if that LIB is build in java and simply call the methods with your business logic.
Last but not the least, try to create username and password for the user who download's this LIB so that you don't need to share your username and password with the jar of source files .
Related
I'm trying to setup a guacamole instance to manage my servers accounts. It's working well when I'm using my MySQL database to manage connection user ID and user password.
But I would like to get my password from my keepass like container through REST API, the idea is to store my password in one and secure location !
I have several ideas to do it, but to be honnest this is not very "beautiful"
Hack the JDBC extension to replace my password when guacamole try to access it. So I store in my password field something like "MY_KEEPASS:password_id" and I will do a request to my API, get the value and replace MY_KEEPASS:password_id by the password
Use the token extension to execute my api call when password will find the token ${PASS}. But I'm not sure this is possible without hack the token extension...
Do someone have a better idea to do that ?
Thanks
You can create an authentication extension for Guacamole, this is a regular way to provide more authentication mechanism to the Guacamole. The extension is essentially a .jar that can be registered to the Guacamole as an authenticator.
In your case, it would be probably sufficient to extend some of the JDBC authentication plugins and add your specific auth method.
You can find some documentation about this on the Guacamole site: http://guacamole.apache.org/doc/gug/custom-auth.html. There are also examples in the examples directory of the guacamole-client.
I need to develop a web application for the Intranet users. I don't want them to enter the login credentials each time they visit the site. It should be automatically loaded from the System Username and Password.
I have successfully implemented functionality which prompt user name and password registered with active directory and validate against LDAP. I need some tips to login directly from intranet website without prompt username & password.
Here is my queries, please let me know your suggestion.
Is it compulsory to set SPN?
Do we need to create separate keytab file for each client? In my organization, there is around 800 people are working so should I need to add all client principal in keytab file & copy to client machine to perform autologin.
I have tried many API's like JESSO, Waffle, Spring Kerberos, SPNGO but failed to implement auto login.
If you want to use Kerberos/SPNEGO (which would be my recommendation) you do have to set up SPN. And you only need one keytab for AD domain. Are you running your Java program on some app server, like Weblogic, or as a standalone program? Servers do have security framework that you could use, while for standalone program you'd have to do a bunch of stuff manually.
I've found that the easiest way to do this is to use Atlassian's Crowd (https://www.atlassian.com/software/crowd/overview) instead of implementing it yourself. It's a commercial product, but last time I checked, it was dirt cheap, and it just works.
My company has a Java Web Application with the database password stored in a properties file and we need to secure the password. I've googled and found the Jasypt solution, but in my mind that doesn't really solve the problem because that requires another password to feed to the application and I don't know how to secure that password.
The main suggestion for Jasypt is to feed the password in as an environment variable, which means that in the best case scenario I would be starting the application like:
./myApp -D password=myPasswordDontHackPlz
which isn't secure because you can see the password when you do
ps -ef | grep myApp
We also can't feed the password in when it needs it (via a the web or something) because it essentially decides when it needs the password, and it needs it pretty often.
Is there any solution to this or am I asking for some magical solution that doesn't exist? I don't like Jasypt because it seems to me to essentially just be obfuscation, and I'm not after obfuscation i'm looking for true security here.
Why don't you put the password in a properties file which is only readable by the user that runs the web application? The web application will need to know the root password at some stage, so obviously you want it to be able to read/use it. What you want is that noone else should be able to read it, and protecting the file will do it.
This is all assuming that you need to externalize your password. You could hardcode it into the application if you wanted to make it harder to get at, but someone with access to the JAR can always decompile your classes.
I am just wondering - storing a root database password is a bad idea in general. But then again, when someone actually manages to get access to that file on the server, how safe is your database anyway?
Would the password still show up if you created a shell script and run it instead?
#!/bin/bash
./myApp -D password=myPasswordDontHackPlz
I need to write automated test scripts for webapp and tests require user credentials for login recieved from csv file. The problem is that it's my personal credentials and they are shared for some other services but all project is under svn and I need some way to hide my credentials.
I there some way to store credentials in some "closed" method or library and get credentials with methods like getUserName() and getPassword().
Thanks.
You can save them to properties file and encrypt it.. Now, when your web application up, it will decrypt file and read all credentials store in memory using java.util.Properties and than you can use them whenever you want.
I have to create a java application wich makes a connection to a DB.
Everything is easy until this point. But I need to include a configuration option with the porpouse of allow the end user enter their own parameters (server host, user, pass, database, port, etc.) in order to connect to the DB. Another easy task. Now every time the user starts the application I need to read these presets given by the end user, in other way remember the user's connection preferences.
I found an easy way to do this using the Properties library in the Java's API. But I have a security issue. The user's preferences are exposed to be access easily (username and password mainly).
Is there a way to save this parameters encrypted?
I need a good and simpliest solution for this security issue.
I doubt it. In FileZilla Client 3.6.0.2, I found my login data easily without encrypted. If it was possible to save this parameters encrypted, FileZilla would do it.