|
Just started a new job at one of those places using a bunch of sheer WTF legacy stuff and I'm running into weird config issues. Our entire app resides in one HUGEASS Portal project running on Tomcat 7. Tomcat's catalina.properties file has our database user and password sitting there in plaintext. I'm developing a one-off app that'll be triggered from Quartz and doesn't have jack poo poo to do with Tomcat, totally separate. However, the higher ups want me to use that catalina.properties user/pass from my separate app for db connection so we only have one instance of the horribly insecure plaintext user/pass. What's the best way to go about referencing that?
|
# ? May 28, 2013 22:12 |
|
|
# ? May 9, 2024 04:04 |
|
MrTheDevious posted:so we only have one instance of the horribly insecure plaintext user/pass As for loading from the file: http://stackoverflow.com/questions/333363/loading-a-properties-file-from-java-package Standard caveats for permissions apply. Assumes the file is on the same machine.
|
# ? May 28, 2013 22:41 |
|
MrTheDevious posted:Just started a new job at one of those places using a bunch of sheer WTF legacy stuff and I'm running into weird config issues. Our entire app resides in one HUGEASS Portal project running on Tomcat 7. Tomcat's catalina.properties file has our database user and password sitting there in plaintext. How would you store the database credentials? I would love to see another idea (properties file, datasource file, whatever other configuration file). I'm asking because I had few years back a security guy saying the same thing that the database credentials were stored in the jboss datasource file on the server in plain text (only the _jboss user could read it, but ... it was there). His idea was to split the password up in at least 5 pieces and encrypt them all. I personally think that's overkill, but I'm open to any ideas that one may have on how to improve that.
|
# ? May 29, 2013 01:50 |
|
Most things that a non-security-person would think of trying fall under easily-defeated obfuscation and not actual security. Ultimately you have to decide: if you reboot the server, can it bring itself up on its own? If so, it's going to need access to its own credentials, which means that if an attacker compromises the server they will have access to those credentials too. The best you're going to achieve is requiring the attacker to completely compromise the server (instead of just getting filesystem read access or whatever) - for example you could encrypt the password file with a key stored in a hardware TPM. If we're talking really high-value credentials, and it's okay for the server to require manual intervention to bring it up, you can store the credentials externally (for example on a smart card), have the sysadmin use them to authenticate the machine when it starts up, and from that point use a short-lived authentication token instead of the actual credentials to authenticate with any remote service.
|
# ? May 29, 2013 02:25 |
|
rhag posted:His idea was to split the password up in at least 5 pieces and encrypt them all. I personally think that's overkill, but I'm open to any ideas that one may have on how to improve that. What's the point of splitting it up? I'm emphatically not a "security guy", but my gut tells me this guy wasn't either. I mean...if it's encrypted it's encrypted, the "5 pieces and encrypt it" sounds like technobabble off of CSI. But then again, maybe (probably) I'm an idiot.
|
# ? May 29, 2013 04:23 |
Got an Apache CXF WebClient question. No response on the cxf-users list for a couple days so I thought I'd try here. Basically, I need to be able to dynamically specify the order of XML elements at runtime. XmlType.propOrder works great for compile time, not for runtime though. I was directed towards the Transformation Feature and outDropElements/outAppendElements. It sounds like it will accomplish what I need to do, I can't for the life of me figure out how to get it to work though. Here's what I'm starting with: code:
code:
code:
code:
|
|
# ? May 29, 2013 06:15 |
|
rhag posted:How would you store the database credentials? I would love to see another idea (properties file, datasource file, whatever other configuration file). I'm asking because I had few years back a security guy saying the same thing that the database credentials were stored in the jboss datasource file on the server in plain text (only the _jboss user could read it, but ... it was there). His idea was to split the password up in at least 5 pieces and encrypt them all. I personally think that's overkill, but I'm open to any ideas that one may have on how to improve that. I don't know about Tomcat but JBoss has a utility for encrypting DB passwords and creating a hash. The tomcat docs say the following quote:If using digested passwords with DIGEST authentication, the cleartext used to generate the digest is different. In the examples above {cleartext-password} must be replaced with {username}:{realm}:{cleartext-password}. For example, in a development environment this might take the form testUser:localhost:8080:testPassword.
|
# ? May 29, 2013 15:52 |
|
What does JBoss use for a encryption key and does it allow you to reboot the server without prompting for a password?
|
# ? May 29, 2013 16:31 |
|
Is this database holding anything related to health records or financial data? (If so, I would reconsider storing the passwords at all and just requiring them to be entered when the application is restarted.) If the data is not important, and you really want to avoid typing the password, are you using a database user who has only the necessary permissions? E.g., the database user used by the application should not have the ability to change the schema or change security settings. It should be able to read, insert, delete and update only the tables it needs. Fly fucked around with this message at 22:47 on May 29, 2013 |
# ? May 29, 2013 22:45 |
|
Hard NOP Life posted:What does JBoss use for a encryption key and does it allow you to reboot the server without prompting for a password? JBoss has a utility that encrypts the key quote:15.1.1. Encrypt the data source password http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Encrypting_Data_Source_Passwords.html
|
# ? May 30, 2013 10:38 |
|
TheresaJayne posted:JBoss has a utility that encrypts the key If this is the code needed to decrypt the password (LGPL code, avert your eyes if you're not allowed to look at LGPL code): Java code:
(Less secure would be if it tricks a reasonable person into thinking it offers fundamentally better security than mere plaintext so that said person would use it in a place where they wouldn't use plaintext.)
|
# ? May 30, 2013 13:46 |
|
It's extra thoughtful that they make it a private static method, with the key hard coded in it. That way you can't even easily extend it and provide your own key. Of course, extending it and providing your own key would only slow down an attacker a little bit. If they had disk access anyway, they could find the corresponding implementation class, jad it, and look for likely candidates.
|
# ? May 30, 2013 13:57 |
|
My previous post probably read like I was ragging on TheresaJayne, but it wasn't my intention. I don't know much about security, but what I know is that security is hard. There may well be good reasons and proper places for using such simple encryptions. I'd just be wary of anything that smells like security by obscurity, because with my knowledge the first person being obscured is me myself.
|
# ? May 30, 2013 14:15 |
|
Win8 Hetro Experie posted:My previous post probably read like I was ragging on TheresaJayne, but it wasn't my intention. I don't know much about security, but what I know is that security is hard. There may well be good reasons and proper places for using such simple encryptions. I'd just be wary of anything that smells like security by obscurity, because with my knowledge the first person being obscured is me myself. I was just raising the issue, I had to look at it for our production systems, the idea is rather than having in the JBoss config files like this code:
code:
|
# ? May 30, 2013 17:10 |
|
I'm trying to create a zip file on the fly containing a bunch of csv files to return from a servlet and its confusing as hell with writers and readers and streams. A little guidance would be great. Here are chunks of code I have that somehow need to work together:code:
|
# ? Jun 3, 2013 20:48 |
|
Hey guys, sorry if this question has been answered a million times but are there any good bucks for transitioning from beginner java to more advanced subjects? I'm feeling kind of lost on what to pick up next after finishing Head First Java.
Krull fucked around with this message at 21:27 on Jun 3, 2013 |
# ? Jun 3, 2013 20:50 |
|
Krull posted:Hey guys, sorry if this question has been answered a million times but are there any good bucks for transitioning from beginner java to more advanced subjects. I'm feeling kind of lost on what to pick up next after finishing Head First Java. Just try doing a project. Then learn what you need to complete that project.
|
# ? Jun 3, 2013 20:54 |
|
Krull posted:Hey guys, sorry if this question has been answered a million times but are there any good bucks for transitioning from beginner java to more advanced subjects. I'm feeling kind of lost on what to pick up next after finishing Head First Java. The generic answer is the best, read/do the official Java tutorials or do a project of some sort. When you run into a roadblock google it, someone one stackoverflow has probably asked it before or just ask here. What are you looking to do with Java?
|
# ? Jun 3, 2013 21:10 |
|
I have mature Swing app that I know what to convert to dockable/undockable (attachable/detachable) panels. I'm not finding much in the Java API aside from 3rd party/proprietary libraries. Can anyone point me to resources for creating these (either tutorials, libraries, or something)?
|
# ? Jun 3, 2013 21:16 |
|
FateFree posted:I'm trying to create a zip file on the fly containing a bunch of csv files to return from a servlet and its confusing as hell with writers and readers and streams. A little guidance would be great. Here are chunks of code I have that somehow need to work together: To add files to a zip file in java is relatively easy, take a look at this example: http://www.mkyong.com/java/how-to-compress-files-in-zip-format/ (first link in google). Essentially, you just need to add ZipEntries to a ZipOutputStream and then just write to the stream. An entry corresponds with a file in the zip. When done writing the file, close the entry, make a new one and keep on writing. When fully done, close the output stream. Now, about where do you get the data: As far as I know (please correct me if I'm wrong here), CSV stands for Comma Separated Values. That is, a CSV file is a bunch of lines where elements are being separated by a comma. code:
code:
|
# ? Jun 4, 2013 15:12 |
|
rhag posted:Now, about where do you get the data: As far as I know (please correct me if I'm wrong here), CSV stands for Comma Separated Values. That is, a CSV file is a bunch of lines where elements are being separated by a comma. Just FYI, in this case you typically use a library because otherwise all you're essentially doing is writing your own library that's more ad-hoc and lovely. Either that or you're baking your output encoding directly into the logic that generates those values, which is an even worse idea.
|
# ? Jun 4, 2013 16:37 |
|
rhag posted:I don't really understand why one would need to use a library but anyway. From the looks of it, CSVWriter accepts a writer as an argument on the constructor. You can pass it a StringWriter as the writer to write to, and then just call stringWriter.toString() to get the data it wrote. The buffer will become something like Thanks for the info, I actually figured out a way to do it without the string writer, and just use the output stream for the zip directly: code:
|
# ? Jun 4, 2013 18:07 |
|
I'm looking for something to administer processes distributed across servers. I want to add, remove, start, stop, and configure the processes from a central location. The processes themselves are implemented in Java (or something else which interfaces through Java), but some other communication mechanism like web services would also be fine. Mainly I want a nice UI (web based or thick client) which does all this administration without much integration work on my part. Any recommendations?
|
# ? Jun 7, 2013 18:26 |
|
Sedro posted:I'm looking for something to administer processes distributed across servers. I want to add, remove, start, stop, and configure the processes from a central location. The processes themselves are implemented in Java (or something else which interfaces through Java), but some other communication mechanism like web services would also be fine. Mainly I want a nice UI (web based or thick client) which does all this administration without much integration work on my part. Any recommendations? That would be JMX, it's built into java's binary jconsole, so there's your UI (not really that nice, but whatever). It can connect to remote or local servers running on specified ports, and it's not much work to get it integrated.
|
# ? Jun 7, 2013 19:10 |
|
baquerd posted:That would be JMX, it's built into java's binary jconsole, so there's your UI (not really that nice, but whatever). It can connect to remote or local servers running on specified ports, and it's not much work to get it integrated. OSGi is also an option but it's fairly intrusive to integrate and the web UIs I've seen (Felix, Karaf) are not all that good.
|
# ? Jun 7, 2013 20:10 |
|
Sedro posted:I was under the impression that it could connect to running processes but couldn't start or stop them. (I am using a loose definition of "process" here). It's a really simple workaround to have a launcher process that's responsible for starting/stopping the other processes and that supports JMX.
|
# ? Jun 7, 2013 20:45 |
|
Fly posted:Is this database holding anything related to health records or financial data? (If so, I would reconsider storing the passwords at all and just requiring them to be entered when the application is restarted.) Yes, some of both, which is why I brought the subject up Apparently nobody but me is concerned though, as I was told to just not worry about it at all. We manage every server ourselves, so requiring runtime entry manually instead of having plaintext laying around everywhere seems like a nobrainer, but it's not gonna happen
|
# ? Jun 10, 2013 19:02 |
|
Sedro posted:I'm looking for something to administer processes distributed across servers. I want to add, remove, start, stop, and configure the processes from a central location. The processes themselves are implemented in Java (or something else which interfaces through Java), but some other communication mechanism like web services would also be fine. Mainly I want a nice UI (web based or thick client) which does all this administration without much integration work on my part. Any recommendations? Akka has some nice stuff for this.
|
# ? Jun 11, 2013 20:27 |
|
Is there a Java equivalent of Pygame? Pygame is an absolute dream to work with because of how straightforward it is to use for graphics, but Python is too slow for my project.
|
# ? Jun 12, 2013 09:45 |
I've had good experiences working with Slick2D, but last I checked their site was down, and it might not be easy to get into without its Javadocs. EDIT: I'm unfamiliar with Pygame, but in terms of ease of use, Slick is very approachable. Joda fucked around with this message at 12:30 on Jun 12, 2013 |
|
# ? Jun 12, 2013 12:19 |
|
What is a good way to obtain value of html tags which are stored as a String in java. Should I convert the html String into xml dom and parse it that way?
|
# ? Jun 19, 2013 21:08 |
|
DholmbladRU posted:What is a good way to obtain value of html tags which are stored as a String in java. Should I convert the html String into xml dom and parse it that way? Parsing HTML in java is best done with jsoup.
|
# ? Jun 19, 2013 23:24 |
|
Joda posted:I've had good experiences working with Slick2D, but last I checked their site was down, and it might not be easy to get into without its Javadocs. It's all hosted here for now: http://slick.ninjacave.com/
|
# ? Jun 20, 2013 14:13 |
|
Hard NOP Life posted:Parsing HTML in java is best done with jsoup. Thanks, I actually found that library yesterday after I posted. Seems to have what I need. Thanks!
|
# ? Jun 20, 2013 14:38 |
|
Woodsy Owl posted:Is there a Java equivalent of Pygame? Pygame is an absolute dream to work with because of how straightforward it is to use for graphics, but Python is too slow for my project. I haven't used Pygame, but LibGDX is a great framework for Java.
|
# ? Jun 20, 2013 15:05 |
Got another maven question. In my build I'm generating a jar from a wsdl using the maven-antrun-plugin. Is there a way to set this generated jar to be the main build artifact, rather than the jar that maven generated because I'm using <packaging>jar</packaging>? I tried to use attach-artifact from build-helper-maven-plugin but it failed with "An attached artifact must have a different ID than its corresponding main artifact.". Not really sure what the correct way to be going about this is.
|
|
# ? Jun 24, 2013 21:31 |
|
Have you tried creating a separate project for the web services and then including it as a dependency in your main project?
|
# ? Jun 24, 2013 21:39 |
Hard NOP Life posted:Have you tried creating a separate project for the web services and then including it as a dependency in your main project? The module that converts the wsdl to java is already a separate project with my intent being exactly that, to include it as a dependency in my main project. Just can't seem to figure out how to have it ignore the default jar and install/deploy the jar was generated by the ant task.
|
|
# ? Jun 24, 2013 22:43 |
|
If you already have a little bit of Ant you can always add more. Is there some slot where Maven has created its jar where you could add the contents from the Ant-built jar to the Maven-built jar? Working with jars using Ant is easy.
|
# ? Jun 24, 2013 22:55 |
|
|
# ? May 9, 2024 04:04 |
|
You can probably use the shade plugin to include that jar's contents in your maven packaged jar.
|
# ? Jun 24, 2013 22:56 |