tags:

views:

297

answers:

5
+3  Q: 

Storing passwords for batch jobs

I have a little java prog that uses a webservice which needs authorization. So the java prog (which is to be run using windows task scheduler) needs to have a user/password argument. How can I store these somewhere without having them laying around in a file as plaintext?

So far I've tried using runtime.getRuntime and CACLS to have a plaintext file but alter the permissions so only the owner could open it (didn't work, not sure why).

Password encryption doesn't work because if I pass the hash to the webservice, the webservice is just "errr what? denied, get lost", but if I use secret key encryption you need a password to decrypt the password. and where do I store that. :P

Help? Please? :)

Thanks.

A: 

Two questions:

  1. why do you need to store them externally to the program ? Why not encode within your Java program (do you or the user need to change them?)
  2. Can you store them externally, but encrypted ? For instance, you can encrypt using a public key, and store the private key within the program itself. So visibility of the encoded pair shouldn't matter.

You have a problem regardless of either approach, in that you can easily disassemble a Java program. Whichever method you choose, disassembly will make it vulnerable.

Brian Agnew  2009-07-31 09:06:17
+1  A: 

how can i store these somewhere without having them lying around in a file as plaintext?

Storing without a "file" will be dificulty. Anyway at some moment you have to retrieve the password from some location.

  • Use some symetric encryption for obfuscating so a quick hash does not reveal your password
  • Use the OS filesystem (read-only for the user that uses the program, no access all other) to protect the file on local disk or put it on an external drive (flash).
PeterMmm  2009-07-31 09:31:06
A: 

An option is to not use the Windows task scheduler, but rather put your program as a service. Doing so, you can launch your service once with the password as a parameter. Then the password stays in memory for your service and you don't need to store it anymore.

Setting the program as a service can be done quite easily with the Java Service Wrapper

gizmo  2009-07-31 09:38:52
ISn't that visible via the process table (if you provide it as a command-line parameter) or via the service wrapper .conf file ?
Brian Agnew  2009-07-31 10:08:46
Well, as far as I know, the .conf file is no longer necessary once the application is launched, so you can simply remove the file completely or just the parameter.
gizmo  2009-07-31 11:35:54
+1  A: 

There's no way that you can keep your password safely if someone has authority to access that running machine. Keeping the password encrypted somewhere in memory is the most secure way I think, just like the run-as-service solution above proposed.

For a more sophisticate approach, you can create a daemon which allows you to key in the password, keep it encrypted in memory, and passes that encrypted text to your java program via IPC (socket), then you program will decrypt it to use. But I would never do this... Hihihi...

instcode  2009-07-31 12:47:32
+1  A: 

The simple answer is:

You can't make it entirely secure but you can make it marginally more secure.

You CAN NOT hash the password because this would prevent it's use by your program.

You CAN put the password in a file and protect the file using the OS permissions. You will need to allow the process executing your program read access. This prevents anyone without administrator rights from viewing the password.

You CAN encrypt the password and provide the key in your program. This prevents casual observation of the password by those who can read the file but will not stop (or even slow down much) someone with access to the password and your program.

Anything else is more or less theater.

Chris Nava  2009-07-31 16:40:49
Why the down vote? Something inaccurate?
Chris Nava  2009-08-18 04:12:47

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java