What is the recommended way to store user credentials in spring MVC?

Question

I am creating a Spring MVC application which is a SOAP client. To communicate with SOAP web-service I am suppose to pass the login credentials. My application doesn't need to store any details dynamically and hence I am not using any db for this application. So kindly suggest a recommended practice to store the sensitive credential for my application. This credential will we managed by the system admin and must be easy for him to change according to the requirement.

Thanks in advance.

Answer 1

Store the username and password in a properties file external to your webapp spring context. That way the sysadmin can easily lock down read access on the properties file to the relevant parties (e.g. your application and himself). That should stop prying eyes seeing the password.

In your spring context have something like:

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="location">
    <list>
      <value>/path/to/config.properties</value>
    </list>
  </property>
  <property name="ignoreUnresolvablePlaceholders" value="true"/>
</bean>

<bean id="myBean" class="...">
    <property name="username" value="{usernameFromExternalPropFile}" />
    <property name="password" value="{passwordFromExternalPropFile}" />
</bean>

The sysadmin will then also be able to change the username/password independently from a build.

See http://www.javaworld.com/community/node/8309/

Answer 2

The simplest option would be to store them in your application context XML configuration file as properties to the bean which is communicating with the SOAP webservice.