Reputation: 17497
Securely Storing SMTP Credentials in Java EE
I have a Java EE application running on GlassFish 4 / Java 8 (x64). Development is on a Windows machine, but it will eventually be ported to Linux (either Red Hat or Ubuntu). In that application I have the requirement to send email messages from an SMTP server requiring user authentication and I'm using JavaMail to perform the connection and send the email messages. These emails are sent on behalf of the system during successful user registration, password reset requests, etc. The user initiating the action, therefore, will not have the credentials to send the email. The same email credentials are used for all such actions, and the email account in question is dedicated for this use.
The approaches which immediately come to mind are to store the sending email account username and plaintext password in a database or some other data store, or to hard code the username and plaintext password in the Java EE application. This has an obvious security risk typically associated with storing passwords in the clear.
There are variations on this, where I could store an encrypted version of the password in either the database or hard coded in the application. At that point, I'm back to finding a method to storing the key to decrypt password.
What methods exist to securely managing such credentials in Java EE? Am I stuck with storing this in plain text?
Upvotes: 2
Views: 816
Answers (1)
Reputation: 29971
First, you mean "Java EE", there is nothing named "JEE".
The typical way to do this is to configure a JavaMail Session as an administered object in the application server (GlassFish in this case), and look up or inject that Session in your application. The configuration of the Session will include the username and password. That keeps the password out of your application, but it will be accessible to anyone who can read the GlassFish files on the server. To further secure it, you can store the password in the keystore, reference it from the Session configuration using a password alias, and set a master password for GlassFish to protect the keystore. I'm sure you'll find further details in the GlassFish documentation; sorry, I don't have a link handy.
Upvotes: 3
Related Questions
- Send java email without authentication/with out sender password
- SMTP authentication issue in javamail API
- Java Mail authentication and connection
- JavaMail - Email Authentication for user registration
- Need to make Javamail more secure for gmail authentication
- Validate smtp server credentials using java without actually sending mail
- Java mail TLS authentcation
- Mail Authentication through Java
- JavaMail SMTP credentials verification, without actually sending an email
- Smtp Authentication