I have some Java code which depends on a system property super.secret.password
. I need to set that property when i run my app. The app will be started by a shell script, and the password will be kept in a file with minimal read permissions.
I really don't want to write:
java -Dsuper.secret.password=letmein gov.fortknox.MyApp
Because then anyone who can get on to the machine and run ps
or top
can see what the password is.
So, is there a good way to set system properties without exposing them on the command line?
The only generic solution we've come up with is to write a small C program which reads system properties from a file, then starts the JVM using the JNI invocation API. Needless to say, we are not keen to do this.
If there isn't a way to set them without using the command line, is there a way to hide the command line from prying eyes? We're using Red Hat Enterprise Linux Server 5.5.
For what it's worth, the app in question is actually JBoss EAP 4.3.0, and we're using the system properties to fill in substitution constructs (${like.this}
) in its XML configuration files. There are JBoss-specific solutions - either use the SystemPropertiesService (by default, configured through the properties-service.xml file in the deploy directory) or pass the -P option to run.sh. However, i am interested in the more general case, where this could be any Java program.
You could just read the file somewhere near startup and call System.setProperty()
. For a web application use a ServletContextListener
so it happens early, see this answer for a quick example.
Update: this is perhaps not early enough for your use case with JBoss loading its configuration files.