Best IT Recipes

Java - encrypt / decrypt username and password from configuration file

We are developing a Java web service for the client. Two options are possible:

  • Store the encrypted username / password in the web service client. Read from the config. client-side file, decrypt and send.

  • Save the encrypted username / password on the web server. Read from the config. file on the web server, decrypt and use in the web service.

The username / password is used by the web service to access the third-party application.

The client already has classes that provide this functionality, but this approach involves sending the username / password in clear (albeit inside the intranet). They would rather store information. in a web service, but they don’t really want to pay for what they already have. (Security is not a big consideration because it is only within their intranet).

Therefore, we need something fast and easy in Java.

Any recommendations?

Tomkat 5.5 server. Web Service - Axis2.

  • Which encrypt / decrypt package will we use?
  • How about a keystore?
  • What tuning mechanism should we use?
  • Will it be easy to deploy?
+13
java encryption configuration-files
Dec 03 '08 at 22:39
source share
2 answers

Being on the intranet, of course, does not justify giving up security. The biggest damage done to the information is insiders. Look at the value of what is protected and take security into account.

It looks like there is a third-party application for which you have one set of credentials, and some clients that effectively exchange this identifier when using a third-party application. In this case, I recommend the following approach.

Do not distribute a third-party password outside the web server.

The safest way to do this is to provide its web application interactively. This can be a ServletContextListener, which asks for a password when the application starts, or a page in the application so that the administrator can enter it through the form. The password is stored in ServletContext and is used to authenticate requests to a third-party service.

A decrease in security means saving a password in the server file system so that it can only be read by a user working on the server. It depends on the permissions of the server file system for protection.

Trying to store an encrypted form of password on a client or server just takes a step back. You find yourself in endless regression, trying to protect a secret with a different secret.

In addition, clients must authenticate to the server. If the client is interactive, ask users to enter a password. The server can then decide whether this user has access to a third-party service. If the client is not interactive, the next best security is to protect the client password with file system permissions.

To protect client credentials, the channel between the client and your web server must be SSL protected. Here, working on the intranet is profitable because you can use a self-signed certificate on the server.

If you store passwords in a file, put them in the file yourself; it requires more thorough permission management and minimizes the need for many users to edit this file and thus see the password.

+18
Dec 03 '08 at 23:09
source share

As I understand it, in order to call a third-party web service, you pass the password as plain text, and no security certificates are involved.

Then I would say that the simplest approach would be to store the password in an encrypted format (via the java encryption mechanism), when the encryption / decryption key is simply encoded in the code.

I would definitely save it on the server side (file system or db), and then distribute and maintain it on multiple clients.

Here's how this might work with DES encryption:

// only the first 8 Bytes of the constructor argument are used // as material for generating the keySpec DESKeySpec keySpec = new DESKeySpec("YourSecr".getBytes("UTF8")); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES"); SecretKey key = keyFactory.generateSecret(keySpec); sun.misc.BASE64Encoder base64encoder = new BASE64Encoder(); sun.misc.BASE64Decoder base64decoder = new BASE64Decoder(); ......... // ENCODE plainTextPassword String byte[] cleartext = plainTextPassword.getBytes("UTF8"); Cipher cipher = Cipher.getInstance("DES"); // cipher is not thread safe cipher.init(Cipher.ENCRYPT_MODE, key); String encrypedPwd = base64encoder.encode(cipher.doFinal(cleartext)); // now you can store it ...... // DECODE encryptedPwd String byte[] encrypedPwdBytes = base64decoder.decodeBuffer(encryptedPwd); Cipher cipher = Cipher.getInstance("DES");// cipher is not thread safe cipher.init(Cipher.DECRYPT_MODE, key); byte[] plainTextPwdBytes = (cipher.doFinal(encrypedPwdBytes));
+24
Dec 04 '08 at 7:09
source share


More articles:


All Articles