Storing credentials in a Google App Engine Java server

Question

I have a Java Server running on Google App Engine, with integrations with third-party services (eg. SendGrid).

What's the best way to store credentials (usernames/passwords, API keys) for these third-party services? In the Java code, or through a configuration file such as web.xml or appengine-web.xml, or elsewhere? How would I access the credentials through code?

this *might* be of interest before going to implementation: http://stackoverflow.com/questions/3777367/what-is-a-good-place-to-store-configuration-in-google-appengine-python — Dan Cornilescu, Jul 28 '16 at 03:02
I usually store my credentials in property-files and load them in a static configuration class. That way the code compiles even if the credentials are missing and you don't have to commit your credentials to your SCM (simply exclude the property file) — konqi, Jul 28 '16 at 09:16

score 1 · Accepted Answer · edited May 23 '17 at 10:28

If you are using Java in GAE then,

You can save the credentials in file under src/main/resources/ or if you are not using this structure, put the file in src package.

ClassLoader classloader = Thread.currentThread().getContextClassLoader();
InputStream is = classloader.getResourceAsStream("credentials.json");

or

InputStream is = AnyClassName.class.getResourceAsStream("credentials.json");

How to read is answered in this, How do I load a file from resource folder?

then you can convert the inputStream to Map or any pojo using any Json libraries, popular ones are,

Gson
Jackson

Also make sure the file is not tracked in version control (if you use any), so that the file not available for others, and only during deployment you can inject that file.

Same kind of solution applies for other languages also, just not the same folder structure like java.

Thanks, is the 'resources' folder hidden from the public like the WEB-INF folder? — user2181948, Jul 31 '16 at 21:09
Yes it is application accessible only , in fact it will be under WEB-INF/classes folder — Ramesh Lingappa, Aug 01 '16 at 00:07

score 0 · Answer 2 · answered Jul 28 '16 at 15:32

0

In my opinion it is good to save sensitive data in external files in WEB-INF folder. A lot of keys from third-party services can be downloaded like file and you need just paste it, like

And you can access it in code like

getServletContext().getResourceAsStream("/WEB-INF/credentials.json")

answered Jul 28 '16 at 15:32

Yevgen

4,519
3
24
34

How would the file be accessible from outside a servlet? – user2181948 Jul 28 '16 at 21:07
WEB-INF directory is a private area of the web application, any files under WEB-INF directory cannot be accessed directly from browser by specifying the URL like http://yoursite/WEB-INF/credentials.json – Yevgen Jul 29 '16 at 06:46
I meant how would you access the file from a method that isn't an http servlet? I noticed you used the getServletContext() method. – user2181948 Jul 29 '16 at 07:35
Create one servlet on startup read it there and pass wherever you want – Yevgen Jul 29 '16 at 08:05

Storing credentials in a Google App Engine Java server

2 Answers2