views:

76

answers:

3

I am looking for a step-by-step how to on securing passwords put in configuration files, in grails. This means securing passwords in Config.groovy and DataSource.groovy. There are a lot of google results that contains bits and pieces of the answer, but no concise guides on how to do this. Can someone please point me in the right direction? Thanx

A: 

Config.groovy and DataSource.groovy is not a configuration file, it's a configuration class. Compiled results are direct not readable.

Update

The use a obfuscation tool on your config classes. Here is a list.

amra
byte code is not secure in this way. Strings can often be read directly in byte code files.
deamon
What deamon said, plus anyone who has access to your Config/DataSource.groovy files has access to your credentials.
proflux
See my update...
amra
+1  A: 

The question is: against what do you want to protect your config file? One possiblity would be to use file system encryption. Another one would be to encrypt the file with a strong password and ask for the password, when the applications starts. But consider that the application can not be restarted then without entering again the password!

Take a look at the Apache httpd documentation to see how Apache handles the same problem.

deamon
+2  A: 

For Config.groovy, you could always just encrypt the password some way and then put that hash in Config.groovy, manually. When you need to use it in your code, have some code to decrypt it for you. Doesn't seem that hard.

DataSource.groovy is a different animal, however, since it is fed into the Hibernate API for you. I did see some code like this on the interwebs and it seems like it is headed in the right direction...

dataSource { 
   pooled = false 
   driverClassName = "org.hsqldb.jdbcDriver" 
   username = "sa" 
   password =  someEncryptionApiObject.decrypt(propertyFile.readProperty("MyPassword")) 

}

...where you would encrypt the property file containing the data you need, and decrypt when needed.

Gregg
yes, this solution seems very similar to thishttp://jira.codehaus.org/browse/GRAILS-3620it seems the hibernate data source has machinery in it to decrypt given a codec. Im wondering about other passwords though; we also use the mail plugin which requires its own password. I think your advice to just decrypt inline, since .groovy files are code, is good. Ill try later today/tomorrow.
hvgotcodes
What are the advantages here compared to storing the password as plain text on the file system but with restricted access? It seems like you will need to store something on the filesystem, either private key or the password itself. Ultimately wouldn't you have about the same vulnerabilities in both approaches? Maybe the encrypted password on the filesystem buys you some additional security through obscurity?
proflux