From user-return-12063-archive-asf-public=cust-asf.ponee.io@cayenne.apache.org Wed Jan 17 13:57:48 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 645E418062C for ; Wed, 17 Jan 2018 13:57:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 54BC2160C35; Wed, 17 Jan 2018 12:57:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 73CE0160C1B for ; Wed, 17 Jan 2018 13:57:47 +0100 (CET) Received: (qmail 59221 invoked by uid 500); 17 Jan 2018 12:57:46 -0000 Mailing-List: contact user-help@cayenne.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cayenne.apache.org Delivered-To: mailing list user@cayenne.apache.org Received: (qmail 59209 invoked by uid 99); 17 Jan 2018 12:57:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Jan 2018 12:57:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id CA1C91A3E1E for ; Wed, 17 Jan 2018 12:57:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.188 X-Spam-Level: * X-Spam-Status: No, score=1.188 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=me.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id qNIbgmyCzKWg for ; Wed, 17 Jan 2018 12:57:42 +0000 (UTC) Received: from mr23p40im-ztdg03141501.me.com (mr23p40im-ztdg03141501.me.com [17.111.223.75]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A04A75FB0B for ; Wed, 17 Jan 2018 12:57:42 +0000 (UTC) Received: from process-dkim-sign-daemon.mr23p40im-ztdg03141501.me.com by mr23p40im-ztdg03141501.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) id <0P2P00G00AEJH500@mr23p40im-ztdg03141501.me.com> for user@cayenne.apache.org; Wed, 17 Jan 2018 12:57:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=04042017; t=1516193850; bh=av+cpXwVcEWTcfTTQBxZ0oeEkfobrP5V0+l92Pr5mvY=; h=From:Content-type:MIME-version:Subject:Date:To:Message-id; b=h2K2EXv/Ixo2fZwUWLun8hAiaGGESB7e8RhYnk9NU+aPaPFK8PsPqpj3DmG+FCUOi Ic32+x3AZ415KClYOYkK9cdF/0KC/CIy1JwtJRmMbvegTiacZvf/5F85wFQbsg8U7E Y2vbqYXYxt/Pqgt+CNI9VMxek3XrrLTlM3I4Uo9UkMfOxrseD3e3IMzVGzAw35Dwve Cun5gX0uHFh8tY7l9aFZyOdFHzuuhaaZcqfhcGgHSWZlIwhdly8Yst+OR1XsHeRasj A0WpY6rZblg9OpeEVwkaZ0o76LVJ59PCiqLlsCYdFVfqQvXpSIgsYTqpmRGNAMOFw1 TuVGLQlmH54dA== Received: from icloud.com ([127.0.0.1]) by mr23p40im-ztdg03141501.me.com (Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built Jun 7 2017)) with ESMTPSA id <0P2P008T5ANQW000@mr23p40im-ztdg03141501.me.com> for user@cayenne.apache.org; Wed, 17 Jan 2018 12:57:29 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-17_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1015 suspectscore=14 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1801170187 From: Amedeo Mantica Content-type: multipart/alternative; boundary="Apple-Mail=_B66A35DA-ADA0-4AC9-95F6-4B7E4E21B881" MIME-version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: Redacting db user name and password from XML Date: Wed, 17 Jan 2018 13:57:25 +0100 References: <6b2d9aa1-7efc-1b02-48a3-9ec40c5108cc@gmail.com> <855C0FAF-8633-4A44-9B24-2438D4BF8D87@objectstyle.org> <20783B9E-F92F-412D-8377-E6345B33BE54@objectstyle.org> To: user@cayenne.apache.org In-reply-to: Message-id: <091CF85D-E97E-44E1-8352-9B7523166C58@me.com> X-Mailer: Apple Mail (2.3445.5.20) --Apple-Mail=_B66A35DA-ADA0-4AC9-95F6-4B7E4E21B881 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I tried setting connection dictionary programmactically too, I was = succesful, but only after deletion of the existing connection discionary = from the xml In my module: String driver =3D conf.getString(JDBC_DRIVER_PROPERTY); String jdbcUrl =3D conf.getString(JDBC_URL_PROPERTY); String username =3D conf.getString(JDBC_USERNAME_PROPERTY); String password =3D conf.hasPath(JDBC_PASSWORD_PROPERTY) ? = conf.getString(JDBC_PASSWORD_PROPERTY) : ""; if(jdbcUrl !=3D null) { = binder.bindMap(Constants.PROPERTIES_MAP).put(Constants.JDBC_DRIVER_PROPERT= Y, driver); = binder.bindMap(Constants.PROPERTIES_MAP).put(Constants.JDBC_URL_PROPERTY, = jdbcUrl); = binder.bindMap(Constants.PROPERTIES_MAP).put(Constants.JDBC_USERNAME_PROPE= RTY, username); = binder.bindMap(Constants.PROPERTIES_MAP).put(Constants.JDBC_PASSWORD_PROPE= RTY, password); } Regards Amedeo > On 17 Jan 2018, at 13:53, Pascal Robert wrote: >=20 > It=E2=80=99s not a Bootique project, it=E2=80=99s a plain old Java = project that I run in Eclipse. I can read the properties with = System.getProperty, but Cayenne is still using the user and password = from the model. >=20 > INFO [main] (XMLDataChannelDescriptorLoader.java:125) - Loading XML = configuration resource from = file:/Users/probert/Code/modele-migration-filemaker/target/classes/cayenne= -mysql.xml > DEBUG [main] (DefaultHandlerFactory.java:38) - Skipping unknown tag = > INFO [main] (DataChannelChildrenHandler.java:106) - Loading XML = DataMap resource from = file:/Users/probert/Code/modele-migration-filemaker/target/classes/mysql.m= ap.xml > INFO [main] (DataSourceChildrenHandler.java:81) - loading user name = and password. > DEBUG [main] (DataDomainProvider.java:240) - finished configuration = loading in 62 ms. > INFO [main] (EntityResolver.java:118) - added runtime complimentary = DbRelationship from adresse to ecole > INFO [main] (EntityResolver.java:118) - added runtime complimentary = DbRelationship from don_ecole to ecole > INFO [main] (EntityResolver.java:118) - added runtime complimentary = DbRelationship from no_serie to licence > INFO [main] (EntityResolver.java:118) - added runtime complimentary = DbRelationship from regroupement to utilisateur > INFO [main] (EntityResolver.java:118) - added runtime complimentary = DbRelationship from etat_utilisateur to utilisateur_etats > INFO [main] (DriverDataSource.java:179) - Connecting to = 'jdbc:mysql://localhost:3306/services_web' as 'xxxx' > INFO [main] (DriverDataSource.java:170) - *** Connecting: FAILURE. > java.sql.SQLException: Access denied for user 'xxxx'@'localhost' = (using password: YES) >=20 > I have tried with both -Dcayenne.jdbc.username.mysql.mysql=3Droot and = -Dcayenne.jdbc.username=3Droot >=20 >> Le 17 janv. 2018 =C3=A0 00:58, Andrus Adamchik = a =C3=A9crit : >>=20 >> If it is not a Bootique project, the property should work. A few = non-Bootique projects that I still have (that are on Cayenne 4.0) are = started using -Dcayenne.* properties from the docs. >>=20 >> If it is a Bootique project, you will need to use the Bootique = approach to configure credentials for anything [1], Cayenne included. = E.g. for a sample config [2], you'd be setting a value for the property = "-Dbq.jdbc.mysql.password". Another way (preferred to -D IMO) is to = define a shell variable pointing to the same property, and then = exporting the var: >>=20 >> in MyModule.java: >>=20 >> BQCoreModule.extend(binder) >> .declareVar("jdbc.mysql.username", "DB_USER"); >> .declareVar("jdbc.mysql.password", "DB_PASSWORD"); >>=20 >> in startup script: >>=20 >> export DB_PASSWORD=3Droot >> export DB_PASSWORD=3Dsecret >>=20 >> java -jar my.jar # no password in the Java process sig >>=20 >> Andrus >>=20 >> [1] = http://bootique.io/docs/0/bootique-docs/index.html#chapter-7-configuration= -and-configurable-factories >> [2] = https://github.com/bootique-examples/bootique-cayenne-demo/blob/master/con= fig.yml >>=20 >>> On Jan 17, 2018, at 12:22 AM, Pascal Robert = wrote: >>>=20 >>> Do -Dcayenne.jdbc.username really work? I=E2=80=99m trying to use = that (so that the password is not stored in Git), and the runtime is = still using the login information from the XML file. >>>=20 >>> Cayenne 4.1.M1. >>> ServerRuntime mysqlRuntime =3D = ServerRuntime.builder().addConfig("cayenne-mysql.xml").build(); >>>=20 >>>> Le 18 d=C3=A9c. 2017 =C3=A0 11:49, Andrus Adamchik = a =C3=A9crit : >>>>=20 >>>> Hi Mark, >>>>=20 >>>> We've done quite a bit of work in Cayenne to avoid complex things = like PasswordEncoding or custom DataSourceFactories. If all that is = needed is to change / define login credentials, the simplest way is via = properties [1]. [2] shows an example with a single DataNode. If you have = more than one, you will need to add the project name and the DataNode = name to the base property name. E.g.: >>>>=20 >>>> export MY_USER=3Duser >>>> export MY_PASSWORD=3Dsecret >>>>=20 >>>> java -Dcayenne.jdbc.username.project.mynode=3D$MY_USER \ >>>> -Dcayenne.jdbc.password.project.mynode=3D$MY_PASSWORD \ >>>> -jar myapp.jar=20 >>>>=20 >>>>=20 >>>> Hope this helps, >>>> Andrus >>>>=20 >>>> [1] = http://cayenne.apache.org/docs/4.0/cayenne-guide/configuration-properties.= html >>>> [2] = https://stackoverflow.com/questions/45781378/best-practice-to-manage-apach= e-cayenne-project-xml-file >>>>=20 >>>>=20 >>>>=20 >>>>> On Dec 17, 2017, at 4:23 AM, Mark Hull = wrote: >>>>>=20 >>>>> I apologize if this question has been asked and answered before = but: What is the best-practices solution to redact the database user = name and password from an XML file created and used by Cayenne Modeler? = The ServerRuntime build statement is simply: >>>>>=20 >>>>> cayenneRuntime =3D ServerRuntime.builder() >>>>> .addConfig("com/hulles/a1icia/cayenne/cayenne-a1icia.xml") >>>>> .build(); >>>>>=20 >>>>> It works just fine as long as the db user name and password are in = the XML file, but I don't believe in leaving clear-text artifacts like = that laying around in the code, so I want to add the user and password = data at runtime from a Java method (not from an external file or an = 'executable', whatever that means in the content of PasswordEncoding). = Adding .user("xyz") and .password("zyx") to the build statement don't = work, presumably because the DataNode is not the default and those = statements just set their respective fields for the default DataNode. >>>>>=20 >>>>> If I have to, I can create either a Module to change those = properties somehow at runtime (though the documentation for doing so is, = to be kind, sparse), somehow implement the PasswordEncoding (even less = documentation, because I don't know where it's used), or just edit the = XML at runtime (horrible choice but looking like the best of a bad lot = at this point). >>>>>=20 >>>>> All this seems like a lot of effort when I imagine this need must = crop up fairly often among Cayenne users (it should, for security = reasons IMO). Is there a simple standard way to do what I want? Or at = least a standard way? I don't want to invent a new wheel here. I feel = like I'm missing something obvious that everyone else knows about and = that I just missed. Oh, by the way, whatever the solution is should = still allow Cayenne Modeler to function normally. >>>>>=20 >>>>> I promise I searched for the answer everywhere I could think of. = StackOverflow had a couple answers that used deprecated methods and = didn't work when I tried them. >>>>>=20 >>>>> Thanks in advance for any help. I hope there's a really simple = answer so I feel stupid but don't have to spend any more time on this = than I have already. :) >>>>>=20 >>>>> - Mark Hull >>>>>=20 >>>>> /People say nothing is impossible, but I do nothing every day. - = A. A. Milne/ >>>>=20 >>>=20 >>=20 >=20 --Apple-Mail=_B66A35DA-ADA0-4AC9-95F6-4B7E4E21B881--