tags:

views:

40

answers:

3
Q: 

File based Spring Security

Hi,

I'm working on a Web Service project to provide data to a partner. Our app is really light weight and has only a handful of APIs. Because of time constraint and in-house pre-existing knowledge we went the Spring MVC / Spring Security path to serve those restful APIs.

At any rate this is a B2B project where we are expecting only that partner to hit our servers. So it seems a little over kill to modify are very small db schemas to add tables that would contain only 1 user access record for that partner...

Heard someone say though that it's possible to use an encrypted file, or at least a file where the password information is encrypted, instead of the database to hold the Spring Security user access information... Is that true? If it is can anyone point me to some references? I couldn't find anything relevant on Google at first glance... :(

Thanks.

+2  A: 

http://www.mularien.com/blog/2008/07/07/5-minute-guide-to-spring-security/

See the '' under the authentication-provider; this allows you to use encrypted passwords (use sha). If you only have a single user and you wanted the information in an external file, then you could use a property file configuration placeholder to simply specify ${user.1.id} ${user.1.passwordenc},etc... kinda hacky, but it would work.

Trever Shick  2009-12-28 18:49:24
+1  A: 

It's VERY possible. In fact, you can do it without coding; it's pretty simple to include the credentials directly in the XML defining the Spring Security stuff. You usually see this in examples, followed by warnings to "DON'T DO IT LIKE THIS!"

If in-house security is no big deal and you're not worried that your developers can see your password (as if they needed it, heh!) and no one else is likely to access your configuration files, then this is a quick and easy yet workable solution.

I'm going to post this, but I'm off to go dig in the Spring Security documentation for the example I was talking about I'll be back!

Update

Trever Schick was a bit faster with the example. I had a different example in mind but his code shows exactly what I was talking about. You define your security provider in the XML and provide user ID/password right there. There are a number of utilities available on the 'net for you to MD5 or SHA encode your password for you so you can cut and paste it into the file.

Carl Smotricz  2009-12-28 18:49:40
A: 

You need to implement a new org.springframework.security.core.userdetails.UserDetailsService that reads the user's information (username, password, enabled flag, and authorities) from a file. I don't know if someone already implemented it.

rodrigoap  2009-12-28 18:50:49

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords