How to use encrypted password in apache BasicDataSource?

Rakesh Juyal picture Rakesh Juyal · Aug 6, 2010 · Viewed 24.5k times · Source

At present i am keeping the password [ unencrypted ] in a property file. This password get placed as is in the configuration xml using ant.
[ The configuration xml is for datasource, it is creating the object of dbcp.BasicDataSource ]

Now, is it possible that after the ant target the password is copied in encrypted form. Heard the Jasypt can do that! Till now i haven't tried this. But, the problem doesn't end here. BasicDataSource do not accept encrypted password. Is there any replacement for BasicDatasource.

FYI: I am using Spring, if that matters.

Answer

Ither picture Ither · Aug 16, 2010

With Spring there is a better way: use the PropertyPlaceholderConfigurer class.

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <property name="locations">
        <value>classpath:com/foo/jdbc.properties</value>
    </property>
    <property name="propertiesPersister">
        <bean class="com.mycompany.MyPropertyPersister" />
    </property>        
</bean>

<bean id="dataSource" destroy-method="close"
      class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" value="${jdbc.driverClassName}"/>
    <property name="url" value="${jdbc.url}"/>
    <property name="username" value="${jdbc.username}"/>
    <property name="password" value="${jdbc.password}"/>
</bean>

When you specify a subclass of PropertiesPersister in the property placeholder, Spring load the jdbc.properties and decrypt the file using that class. Maybe something like:

public class MyPropertyPersister extends DefaultPropertiesPersister
{
    // ... initializing stuff...

    public void load(Properties props, InputStream is) throws IOException
    {
        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(is, decrypter);
        super.load(props, cis);
    }

    public void load(Properties props, Reader reader) throws IOException
    {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        IOUtils.copy(reader, baos);
        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());

        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(bais, decrypter);

        InputStreamReader realReader = new InputStreamReader(cis);
        super.load(props, realReader);
    }

    public void loadFromXml(Properties props, InputStream is) throws IOException
    {
        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(is, decrypter);
        super.loadFromXml(props, cis);
    }

    private Cipher getCipher()
    {
         // return a Cipher to read the encrypted properties file
         ...
    }
    ...
}

Hope it helps.

EDIT If you use Jasypt, you do not need to define any PropertiesPersister. From the Jasypt documentation:

Jasypt provides an implementation of these configuration-related Spring classes which can read .properties files with encrypted values (like the ones managed by the EncryptableProperties class) and handle them transparently to the rest of the Spring application beans.

With this, you can define jdbc.properties like this

 jdbc.driver=com.mysql.jdbc.Driver
 jdbc.url=jdbc:mysql://localhost/reportsdb
 jdbc.username=reportsUser
 jdbc.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)

and the Spring config may be like this

<bean class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
   <constructor-arg>
     <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
       <property name="config">
         <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
           <property name="algorithm" value="PBEWithMD5AndDES" />
           <property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />
         </bean>
       </property>
     </bean>
   </constructor-arg>
   <property name="locations">
     <list>
       <value>/WEB-INF/classes/jdbc.properties</value>
     </list>
   </property>   
</bean>

<bean id="dataSource" destroy-method="close"
      class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" value="${jdbc.driverClassName}"/>
    <property name="url" value="${jdbc.url}"/>
    <property name="username" value="${jdbc.username}"/>
    <property name="password" value="${jdbc.password}"/>
</bean>

This way, you can put the password for decrypt the hidden property in an environment variable when you start the application and unset it later.