Reputation: 189
How to store password as encrypted in properties file in Spring
I am very new in Spring framework and I am using Spring framework to manage my database connections and so on. Applicaiton reads my db connection parameters from a property file. The thing I need is to store my connection password in property file as encrypted. Here is my datasource xml file
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>file:${DBConfigFile}</value>
</property>
</bean>
<bean id="myDataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
<property name="driverClass" value="${jdbc.driverClassName}" />
<property name="jdbcUrl" value="${jdbc.url}" />
<property name="user" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
<property name="initialPoolSize"><value>3</value></property>
<property name="minPoolSize"><value>3</value></property>
<property name="maxPoolSize"><value>50</value></property>
<property name="idleConnectionTestPeriod"><value>200</value></property>
<property name="acquireIncrement"><value>1</value></property>
<property name="maxStatements"><value>0</value></property>
<property name="numHelperThreads"><value>3</value></property>
</bean>
</beans>
I am thiking to write the password encrypted to property file and I am wondering if Spring can decrypt it with an algorithm automatically. Is it possible with configuration. Thank you in advance.
Upvotes: 17
Views: 46255
Answers (5)
Reputation: 1457
I am using spring 4 and jasypt 1.9. Jasypt documentation does not provide explicit support for spring 4. I could not locate class named EncryptablePropertyPlaceholderConfigurer with org.jasypt:jasypt:1.9.2 dependency either.
I wrote a simple static encryption utility java class (this uses jasypt API).
public class EncryptionUtil {
static PooledPBEStringEncryptor encryptor = null;
static {
encryptor = new PooledPBEStringEncryptor();
encryptor.setPoolSize(4);
// There are various approaches to pull this configuration via system level properties.
encryptor.setPassword("parashar");
encryptor.setAlgorithm("PBEWITHMD5ANDDES");
}
public static String encrypt(String input) {
return encryptor.encrypt(input);
}
public static String decrypt(String encryptedMessage) {
return encryptor.decrypt(encryptedMessage);
}
}
I used this utility to encrypt the passwords I intended to keep in my property files.
I then simply used spring EL to decrypt the properties back in my spring config xml.
<property name="password" value="#{T(amit.parashar.EncryptionUtil).decrypt('${db.password}')}" />
EDIT : To answer on how to hide the encryption password :
Use system args while bringing up your java process.
for e.g. : java -Dwhatismyencpawd="parashar"
and use it like
encryptor.setPassword(java.lang.System.getProperty("whatismyencpawd"));
This way only the app admin would know the password. This way password will be visible as part of ps command though on a UNIX box.
or You can configure and read from OS level environment variable as well.
Upvotes: 6
Reputation: 1323
You can use the encryption and decryption provided by spring cloud config
Upvotes: 1
Reputation: 15204
As far I known Spring does not support this ability, but some other project may be helpfull:
Jasypt library offers support for encrypted application configuration (and also integrates with Spring). See details: http://www.jasypt.org/encrypting-configuration.html
OWASP Project provides EncryptedProperties interfaces with DefaultEncryptedProperties and ReferenceEncryptedProperties implementations which may be used in your application. See also: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file
Upvotes: 8
Reputation: 41
You could write a bean that decrypts your password and then inject the bean into whatever needs the password
Upvotes: 0
Reputation: 28951
It doesn't make any sense, because if the Spring can decrypt it, then everybody else could too. This encryption will not make any difference, it doesn't protect anything. It gives only dangerous thing - false feeling of protection.
Maybe you could use some another way of the database authentication, e.g. MS SQL server allows use Windows Security instead of password authentication. The same for Postgres (it gives access by user account or using SSL certificates).
Upvotes: 2
Related Questions
- how to encrypt password using spring hibernate in java
- How to encrypt server.ssl.key-store-password value and use it in SpringBoot
- how to encrypt application.properties in spring boot
- Spring encrypt and decrypt API key in properties file
- encrypt value in properties file
- Spring Encrypt Values from Properties File
- Encrypting a password within a Spring configuration file
- Encrypt a password in a preferences/properties file - Java
- Unable to encrypt username/password from properties file using jasypt
- how to encrypt values in a properties file in spring for .net v1.3