cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrus Adamchik <and...@objectstyle.org>
Subject Re: Redacting db user name and password from XML
Date Tue, 19 Dec 2017 05:56:02 GMT
> A disadvantage of this approach, though, is it puts the username/password
> on the command-line and/or the process list, plus potentially exposes it in
> command-line history, too.

It doesn't if you are careful. Nothing prevents you from putting these in a startup script
of your app (this is what I was kind of alluding to when I defined credentials as exported
vars). From there you have lots of options depending on how paranoid you are:

* restricting access to the script with UNIX permissions.
* storing it on an encrypted drive.
* creating the script dynamically on startup and then deleting when the app is started.

The point is that with properties you have an easy mechanism separating your security solution
away from your Java app.

Andrus


> On Dec 19, 2017, at 4:27 AM, Michael Gentry <blacknext@gmail.com> wrote:
> 
> A disadvantage of this approach, though, is it puts the username/password
> on the command-line and/or the process list, plus potentially exposes it in
> command-line history, too.
> 
> mrg
> 
> 
> On Mon, Dec 18, 2017 at 11:49 AM, Andrus Adamchik <andrus@objectstyle.org>
> wrote:
> 
>> Hi Mark,
>> 
>> We've done quite a bit of work in Cayenne to avoid complex things like
>> PasswordEncoding or custom DataSourceFactories. If all that is needed is to
>> change / define login credentials, the simplest way is via properties [1].
>> [2] shows an example with a single DataNode. If you have more than one, you
>> will need to add the project name and the DataNode name to the base
>> property name. E.g.:
>> 
>> export MY_USER=user
>> export MY_PASSWORD=secret
>> 
>> java -Dcayenne.jdbc.username.project.mynode=$MY_USER \
>>     -Dcayenne.jdbc.password.project.mynode=$MY_PASSWORD \
>>     -jar myapp.jar
>> 
>> 
>> Hope this helps,
>> Andrus
>> 
>> [1] http://cayenne.apache.org/docs/4.0/cayenne-guide/
>> configuration-properties.html
>> [2] https://stackoverflow.com/questions/45781378/best-
>> practice-to-manage-apache-cayenne-project-xml-file
>> 
>> 
>> 
>>> On Dec 17, 2017, at 4:23 AM, Mark Hull <mark.mkgnao@gmail.com> wrote:
>>> 
>>> I apologize if this question has been asked and answered before but:
>> What is the best-practices solution to redact the database user name and
>> password from an XML file created and used by Cayenne Modeler? The
>> ServerRuntime build statement is simply:
>>> 
>>> cayenneRuntime = ServerRuntime.builder()
>>> .addConfig("com/hulles/a1icia/cayenne/cayenne-a1icia.xml")
>>>            .build();
>>> 
>>> It works just fine as long as the db user name and password are in the
>> XML file, but I don't believe in leaving clear-text artifacts like that
>> laying around in the code, so I want to add the user and password data at
>> runtime from a Java method (not from an external file or an 'executable',
>> whatever that means in the content of PasswordEncoding). Adding
>> .user("xyz") and .password("zyx") to the build statement don't work,
>> presumably because the DataNode is not the default and those statements
>> just set their respective fields for the default DataNode.
>>> 
>>> If I have to, I can create either a Module to change those properties
>> somehow at runtime (though the documentation for doing so is, to be kind,
>> sparse), somehow implement the PasswordEncoding (even less documentation,
>> because I don't know where it's used), or just edit the XML at runtime
>> (horrible choice but looking like the best of a bad lot at this point).
>>> 
>>> All this seems like a lot of effort when I imagine this need must crop
>> up fairly often among Cayenne users (it should, for security reasons IMO).
>> Is there a simple standard way to do what I want? Or at least a standard
>> way? I don't want to invent a new wheel here. I feel like I'm missing
>> something obvious that everyone else knows about and that I just missed.
>> Oh, by the way, whatever the solution is should still allow Cayenne Modeler
>> to function normally.
>>> 
>>> I promise I searched for the answer everywhere I could think of.
>> StackOverflow had a couple answers that used deprecated methods and didn't
>> work when I tried them.
>>> 
>>> Thanks in advance for any help. I hope there's a really simple answer so
>> I feel stupid but don't have to spend any more time on this than I have
>> already. :)
>>> 
>>> - Mark Hull
>>> 
>>> /People say nothing is impossible, but I do nothing every day. - A. A.
>> Milne/
>> 
>> 


Mime
View raw message