How to use encrypted password in apache BasicDataSource?

Question

At present i am keeping the password [ unencrypted ] in a property file. This password get placed as is in the configuration xml using ant.
[ The configuration xml is for datasource, it is creating the object of dbcp.BasicDataSource ]

Now, is it possible that after the ant target the password is copied in encrypted form. Heard the Jasypt can do that! Till now i haven't tried this. But, the problem doesn't end here. BasicDataSource do not accept encrypted password. Is there any replacement for BasicDatasource.

FYI: I am using Spring, if that matters.

Answer 1

The following jasypt link explains how a properties file containing encrypted content can be read from within your application:

http://www.jasypt.org/encrypting-configuration.html

To create the properties file from within ANT my suggestion is to use the groovy task as follows:

<taskdef name="groovy" classname="org.codehaus.groovy.ant.Groovy"/>

<groovy>
import org.jasypt.encryption.pbe.StandardPBEStringEncryptor

def encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("secret"); 

def f = new File("config.properties")
f.println "datasource.driver=com.mysql.jdbc.Driver"
f.println "datasource.url=jdbc:mysql://localhost/reportsdb"
f.println "datasource.username=reportsUser"
f.println "datasource.password=ENC("+encryptor.encrypt("dbpassword")+")"    

</groovy>

Answer 2

Extend BasicDataSource, override setPassword and setUserName methods. Decrypt the values in those methods and pass them to super class methods.

Answer 3

With Spring there is a better way: use the PropertyPlaceholderConfigurer class.

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <property name="locations">
        <value>classpath:com/foo/jdbc.properties</value>
    </property>
    <property name="propertiesPersister">
        <bean class="com.mycompany.MyPropertyPersister" />
    </property>        
</bean>

<bean id="dataSource" destroy-method="close"
      class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" value="${jdbc.driverClassName}"/>
    <property name="url" value="${jdbc.url}"/>
    <property name="username" value="${jdbc.username}"/>
    <property name="password" value="${jdbc.password}"/>
</bean>

When you specify a subclass of PropertiesPersister in the property placeholder, Spring load the jdbc.properties and decrypt the file using that class. Maybe something like:

public class MyPropertyPersister extends DefaultPropertiesPersister
{
    // ... initializing stuff...

    public void load(Properties props, InputStream is) throws IOException
    {
        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(is, decrypter);
        super.load(props, cis);
    }

    public void load(Properties props, Reader reader) throws IOException
    {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        IOUtils.copy(reader, baos);
        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());

        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(bais, decrypter);

        InputStreamReader realReader = new InputStreamReader(cis);
        super.load(props, realReader);
    }

    public void loadFromXml(Properties props, InputStream is) throws IOException
    {
        Cipher decrypter = getCipher();
        InputStream cis = new CipherInputStream(is, decrypter);
        super.loadFromXml(props, cis);
    }

    private Cipher getCipher()
    {
         // return a Cipher to read the encrypted properties file
         ...
    }
    ...
}

Hope it helps.

EDIT If you use Jasypt, you do not need to define any PropertiesPersister. From the Jasypt documentation:

Jasypt provides an implementation of these configuration-related Spring classes which can read .properties files with encrypted values (like the ones managed by the EncryptableProperties class) and handle them transparently to the rest of the Spring application beans.

With this, you can define jdbc.properties like this

 jdbc.driver=com.mysql.jdbc.Driver
 jdbc.url=jdbc:mysql://localhost/reportsdb
 jdbc.username=reportsUser
 jdbc.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)

and the Spring config may be like this

<bean class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
   <constructor-arg>
     <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
       <property name="config">
         <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
           <property name="algorithm" value="PBEWithMD5AndDES" />
           <property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />
         </bean>
       </property>
     </bean>
   </constructor-arg>
   <property name="locations">
     <list>
       <value>/WEB-INF/classes/jdbc.properties</value>
     </list>
   </property>   
</bean>

<bean id="dataSource" destroy-method="close"
      class="org.apache.commons.dbcp.BasicDataSource">
    <property name="driverClassName" value="${jdbc.driverClassName}"/>
    <property name="url" value="${jdbc.url}"/>
    <property name="username" value="${jdbc.username}"/>
    <property name="password" value="${jdbc.password}"/>
</bean>

This way, you can put the password for decrypt the hidden property in an environment variable when you start the application and unset it later.

Answer 4

Not entirely true in the case of BasicDataSource.

If you read the javadocs for BasicDataSource, setPassword() has no effect once the pool has been initialized. The pool is initialized the first time one of the following methods is invoked: getConnection, setLogwriter, setLoginTimeout, getLoginTimeout, getLogWriter.

Ref: http://www.docjar.com/html/api/org/apache/commons/dbcp/BasicDataSource.java.html

All these methods call createDataSource() eventually.

So your new BasicDataSource class only needs to override the method createDataSource() Something like this:

public class NewBasicDataSource extends BasicDataSource {

protected synchronized DataSource createDataSource() throws SQLException
{
    String decryptedPassword = decryptPassword( super.getPassword() );
    super.setPassword( decryptedPassword );
    return super.createDataSource();
}

private String decryptPassword( String password )
{
    return //logic to decrypt current password
}

Answer 5

Create a new task by extending existing task Copy( responsible for file-copy ). Create a new type by extending FilterSet ( responsible for filtering of tokens ).
see the code here:- http://stackoverflow.com/questions/3657910/how-to-create-nested-element-for-ant-task

build.xml

<target name="encrypted-copy" >
        <CopyEncrypted todir="dist/xyz/config" overwrite="true">
            <fileset dir="config"/>                 
            <encryptionAwareFilterSet>
                <filtersfile file="conf/properties/blah-blah.properties" />
            </encryptionAwareFilterSet>
        </CopyEncrypted>
    </target>

blah-blah.properties

property1=value1
property2=value2
PASSWORD=^&YUII%%&*(
USERNAME=rjuyal
CONNECTION_URL=...
someotherproperty=value

configuration xml

<bean id="dataSource"
        class="com.xyz.datasource.EncryptionAwareDataSource"
        destroy-method="close" autowire="byName">
        <property name="driverClassName">
            <value>com.ibm.db2.jcc.DB2Driver</value>
        </property>
        <property name="url">
            <value>@CONNECTION_URL@</value>
        </property>
        <property name="username">
            <value>@USERNAME@</value>
        </property>
        <property name="password">
            <value>@PASSWORD@</value>
        </property>
        <property name="poolPreparedStatements">
            <value>true</value>
        </property>
        <property name="maxActive">
            <value>10</value>
        </property>
        <property name="maxIdle">
            <value>10</value>
        </property>     
    </bean>
...
...
...

After the execution of the target the xml is copied with values from properties file. Password will be encrypted.

This will handle the encrypted password. EncryptionAwareDataSource

public class EncryptionAwareDataSource extends BasicDataSource{
    @Override
    public synchronized void setPassword(String password) {     
        super.setPassword(Encryptor.getDecryptedValue( password ));
    }
}

---

That' all ;)