• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Knute Snortum
Sheriffs:
  • Liutauras Vilda
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Joe Ess
  • salvin francis
  • fred rosenberger

Secure by Design - Properties Files

 
Ranch Hand
Posts: 438
2
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
What would your alternative be to using properties files for information like database or server passwords for application authentication ?

thanks,
Paul  
 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Maybe creating a table with the properties file data? That way minimum information can be stored in the properties file to connect to the database.
 
paul nisset
Ranch Hand
Posts: 438
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

That either involves connecting to a database for which your app needs the password first or hard coding a table in your source code (don't do this).
 
Author
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

In general, you don't want to place sensitive data (e.g. credentials) in property files. Instead, you want to use a design that provides the sensitive data to you application. This way, your application becomes loosely coupled to your environment, developers don't need no know what the credentials are, and you open up for automatic rotation. There are many solutions to achieve this – one is to use an external vault (e.g. Vault by HashiCorp or AWS Secrets) or if you don't need to be that advanced, make the environment load them at deploy time.

Cheers,

/Daniel
 
paul nisset
Ranch Hand
Posts: 438
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

make the environment load them at deploy time.



By  deploy time ,do you mean in an external bash(or something similar) deployment script ? I'm not sure how to do that .
Do you have any examples of this in the book?

I've authenticated to external servers using SAML2 .I'm guessing that AWS Secrets or other providers use the same sort of certificate mechanism to authenticate.

Thanks.
 
Daniel Deogun
Author
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Paul,

Yes, if you don't want to go fancy, you could load your sensitive environment data at deploy time using your pipeline. This does, however, still require you to store your sensitive data securely which can be a bit tricky. I therefore tend to go for a solution that uses dynamic loading of credentials when needed e.g. using AWS Secrets.

Unfortunately I don't think we have an explicit example of this in the book, but you could use bash or some other scripting language to fetch configuration data at deploy time.

Cheers,

/Daniel
 
paul nisset
Ranch Hand
Posts: 438
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Daniel.
 
Blueberry pie is best when it is firm and you can hold in your hand. Smell it. And smell this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!