All geek questions in one place

Where is it safe to store the p12 file in App Engine?

In App Engine, I need a p12 file to create signed URLs:

https://developers.google.com/storage/docs/accesscontrol#Signing-Strings

Google does not describe which methods are best stored in this file.

Can I use the WEB-INF directory to store a file? It will then be part of the source code and stored with the password to open it.

What are the best practices here? Or other approaches?

-

What about performance? Is it efficient to download the file again and again? Can App Engine automatically cache a file through calls (in a single instance)? Or will I need to upload the file once using the servlet and then somehow save it in a static variable? Are there any better ways to achieve this, for example, storing a file in a data warehouse record and then storing it in memcache? How safe will this approach be? Probably nothing good, right?

+5
source share
1 answer

App Engine specifically has a number of unusual security restrictions in file storage. I found the best place for reliable storage of resources - using the package itself. If you use the default Maven setting created by the appengine maven skeleton project, it's as simple as placing a file inside the corresponding resource directory

Resources Directory Structure

Once p12 is in the right place, you need to load it using the GetResourceAsStream function of the loader class. Then, when creating GoogleCredentials, do not use the documentation for setServiceAccountPrivateKeyFromP12File (), but instead use the setServiceAccountPrivateKey () function and pass the newly created PrivateKey.

In addition, you most likely will not want to use any of these functions with the live appengine instance, since Appengine already provides you with a much more convenient AppIdentityCredentials function in this case, so you probably want to determine if your application will be located in production mode and uses only ServiceAccount when testing using localhost.

Combining all these functions gives the following function that works for me:

public static HttpRequestInitializer getDefaultCredentials() throws IOException { List<String> scopes = Arrays.asList(new String[] {DEVSTORAGE_FULL_CONTROL}); if (SystemProperty.environment.value() == SystemProperty.Environment.Value.Production) return new AppIdentityCredential(scopes); else { GoogleCredential credential; try { String p12Password = "notasecret"; ClassLoader classLoader = ServiceUtils.class.getClassLoader(); KeyStore keystore = KeyStore.getInstance("PKCS12"); InputStream keyFileStream = classLoader.getResourceAsStream("key.p12"); if (keyFileStream == null){ throw new Exception("Key File Not Found."); } keystore.load(keyFileStream, p12Password.toCharArray()); PrivateKey key = (PrivateKey)keystore.getKey("privatekey", p12Password.toCharArray()); credential = new GoogleCredential.Builder() .setTransport(HTTP_TRANSPORT) .setJsonFactory(JSON_FACTORY) .setServiceAccountId(" YOUR_SERVICE_ACCOUNT_EMAIL@developer.gserviceaccount.com ") .setServiceAccountPrivateKey(key) .setServiceAccountScopes(scopes) .build(); } catch (GeneralSecurityException e) { e.printStackTrace(); return null; } catch (Exception e) { e.printStackTrace(); return null; } return credential; } }
+6
source

Source: https://habr.com/ru/post/1200865/

More articles:


All Articles