What are some good patterns for performing initial configuration of a web application?

Question

I have a Java web application designed to be deployed on the internet. It needs a database connection. Depending upon hosting environments it may not be possible for the deployers of the web application to configure appropriate data sources so the application needs to store it's database connection information somewhere to be reloaded if the application is restarted.

I also need to give one user administrator privilileges. If this is just the first user account created there is the small possibility that the admin account could be hijacked in between the time that the application is deployed and the time that the installer logs in.

I need to do both of these tasks securely and in a way that is lowest common denominator for a web application.

Clarification: Upon first use I want the application to set up an admin user. That admin user will have all security access in the system. Somehow I need to determine what that user is called and what their password will be. If the application gets deployed on a shared web host the application will be live from the moment it is deployed. If I allow the site to be configured through a web interface there is the small possibility that an unauthorised person will do the web configuration before the site owner effectively hijacking the site. I am looking for an elegant way to avoid this.

Answer 1

The most common way to do this is through a static configuration file, in some simple text format.

The file resides on the same system as the application, and should be just as secure as the code (eg. if someone has access to modify the configuration who shouldn't be able to, couldn't they just as easily modify the code?)

Answer 2

For one of our Java web apps, we're using Spring dependency injection to configure most of the app. If you create a "Configuration" class with all of the configurable properties exposed, you can wire up a bean in Java that is configured via Spring XML context file. You can then create different versions of the XML file for your different environments, and have them automatically built into specific packages, which can be deployed all-at-once. If you want to go all-out, you can basically configure every single class in your application using Spring, which is really useful.

There's a little bit of overhead to get Spring setup, but it's actually not too hard, there are plenty of tutorials out there.

Answer 3

Ok, to answer your revised question...

There isn't really that much you can do. If you don't want the admin to configure their account during installation on the server, then there will always be a small window where someone else might create it via the web before they do.

All the solutions involve modifying something on the server (as this is how they prove they are the real admin). Yes, that can mean a config file...

• Upon first connect, give the user a token. Basically a hash of some salt+theirIP+theirUserAgent, etc. Then ask them to log into the server and feed this token to your app, probably in a config file. If the generated token next time matches the one in the config, allow them to proceed.

• A simpler solution is to let them put their IP address in the config from the start, and just allow this IP. (Assumes they know what their IP address is)

• Alternatively, allow account creation, but refuse to do anything else until some file is removed from the server. Many PHP apps do this with an install.php, but the file could be anything you test for.