0

Due to design constrains the project I am currently working on won't allow us to write certain set of configuration parameters in plain text file such as properties files (mainly due to security constrains).

Is there any way to conceal this configuration parameters in order for them just to be accessible to the code programmers. A plain Java object is so far my only idea.

Also, it's worth noticing that hard-coding values is not a good solutions for us, given there are many 'sub-applications' that requiere their own configuration. In this point consider some kind of resource bundle but that will still have the original problem.

EDIT: So I came across Jasypt as proposed here, nonetheless I think that for my case saving this in some kind of obfuscated file is sufficient since it is all we need in order to make the user stop tampering with configuration files.

Cœur
  • 37,241
  • 25
  • 195
  • 267
jfzr
  • 374
  • 4
  • 17
  • 1
    Security through obscurity is always a bad idea, if this is what you mean by 'conceal'. Your concealed values __will__ be revealed, given some time and effort. If this is the case, we probably need more info on the architecture, in order to see if anything better is possible. You can read more here: https://stackoverflow.com/questions/533965/why-is-security-through-obscurity-a-bad-idea – Iakovos Feb 17 '17 at 19:22
  • Well it is a kind of is a security by obscurity. So, the deal is we have a server that acts like and engine for other applications. In order to deploy the application we need to write a set of configurations. Then the code is deployed in war file in our client servers. Situation is that sometimes or clients o people surrounding our clients tamper with this open configuration and cause lots of headaches. So that's is why we want the configuration to be obscure once the application is deployed. – jfzr Feb 17 '17 at 20:14
  • Ok I see. The problem is that if someone wants to, making sense of an obfuscated file is always possible. As a matter of fact, if anything is in the hands of a user, it can be cracked. There is no such thing as perfect security, but obfuscation is far even from good security. I would suggest you investigate whether the war files can be generated based on some configuration (getting rid of all the irrelevant code), rather than functioning based on some configuration, if that makes sense. – Iakovos Feb 17 '17 at 23:53
  • 1
    For example, if you have a function X that you don't want some client to have access to, remove it completely before generating the war file (probably based on some configuration), rather than having an if statement that says that if this variable exists in the configuration then run function X. – Iakovos Feb 17 '17 at 23:56

1 Answers1

0

Use environment variables:

String value = System.getEnv(myKey);

which are defined at the OS via export foo=bar (*nix) or SET foo=bar (windows), or system properties:

String value = System.getProperty(myKey);

which are defined on the java command line, eg java -DmyKey=myValue ...

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Bohemian
  • 412,405
  • 93
  • 575
  • 722
  • No really a good idea because it will reduce my code portability and still configuration can be easily accessed. – jfzr Feb 17 '17 at 20:06