How to protect database username and password in shared hosting enviornment using spring
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
<property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
<property name="url"><value>jdbc:mysql:///BUSINESS</value></property>
<property name="username"><value>root</value></property>
<property name="password"><value>password</value></property>
</bean>
I am not aware of any Spring specific solution for this.
In a shared hosting environment one should make sure that file's aren't public readable so other users can't view the content of you’re files. In case of a shared application server, the app server should be in the same group, so only the application server gets access to you’re files.
An application should never use a MySql root password. You should create an MySql account with limited rights on a specific schema (for example an user that can only do DML statements and not DDL statements).
To keep the username/password out of a plain text file you could hardcode the configuration in a Java class (This is basicaly security through obscurity). Replacement configuration:
<bean id="dataSource"
class="my.app.CustomDriverManagerDataSource" >
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
</bean>
And add this class to you're class path
import org.springframework.jdbc.datasource.DriverManagerDataSource;
public class CustomDriverManagerDataSource extends DriverManagerDataSource {
public DriverManagerDataSource() {
super("jdbc:mysql:///BUSINESS","root","password");
}
}
Related
I have integrated SAML 2.0 in my system and I have several questions about SAML configurations file.
In my Service Provider file I have
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>.
In the customer's IDP file we don't have any NameIDFormat definition.
What is de default NameIDFormat if the client didn't defined it?
In my spring saml configuration file
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="contextProvider" ref="${saml.security.context.provider}" />
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false" />
<property name="nameID" value="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />
<property name="allowCreate" value="true" />
</bean>
</property>
</bean>
But the client told us that the policy 'persitent' is not supported for him.
If I modify the defaultProfileOptions and I delete the nameID property, the default value for the client would be
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (I remember that in SP file the NameIDFormat is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified and in IDP file we don't have the NameIDFormat definition)?
From SAML specification point of view NameID format
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
should be used if no NameID format is specified. However you don't need to send anyone, the SAML IdP sould then choose one of your SP's supported NameID formats (provided in the SAML SP meta data).
From SAML spec point of view NameID format
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
is intended to be used for the use case of 'account-linking' (linkage of 2 identities in 2 different identity silos, one on IdP side, on on SP side)
As your use-case seems to be SSO only, the intended NameID format would
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
I am using Spring SAML to implement single sign on in my application. Evreything is integrated and works properly from SSO perspective.
Another service of my application which also uses HTTP client post via Axis started failing with the following error
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
I have looked into the answer provided the link
Spring Security SAML + HTTPS to another page and follow the same but to no avail.
Below is the configuration for TLSProtocolSocketFactory
<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="org.apache.commons.httpclient.protocol.Protocol"/>
<property name="targetMethod" value="registerProtocol"/>
<property name="arguments">
<list>
<value>https</value>
<bean class="org.apache.commons.httpclient.protocol.Protocol">
<constructor-arg value="https"/>
<constructor-arg>
<bean class="org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory">
<constructor-arg ref="keyManager"/>
<constructor-arg><null/></constructor-arg>
<constructor-arg value="allowAll"/>
</bean>
</constructor-arg>
<constructor-arg value="443"/>
</bean>
</list>
</property>
</bean>
I have imported the cert of the other service in samlKeystore.jks as well.
Any help in the issue will be apreciated
I think this may be what you're looking for: Source
You are using bean TLSProtocolConfigurer which changes trusted certificates and hostname verification of the HTTPS protocol in the HTTP Client. You can revert behaviour of the HTTP Client back to defaults by removing this bean. You will then need to make sure that certificates used by entities from which you load metadata (https://idp.ssocircle.com/idp-meta.xml) are trusted in your cacerts, or use an endpoints without https (http://idp.ssocircle.com/idp-meta.xml).
Alternatively, you can disable hostname verification by setting property sslHostnameVerification to allowAll on bean TLSProtocolConfigurer. You will also need to make sure that the HTTPS certificate of https://www.somepage.com (or its CA) is included in the samlKeystore.jks (see Spring SAML manual).
You can find more details on the TLSProtocolConfigurer bean in the Spring SAML manual, chapter HTTP-based metadata provider with SSL.
The issue is in checkNames() function of PKIXX509CredentialTrustEngine where we are checking the trustedNames collection only for null instead of "null or Empty".Even though we are passing the value for trustedNames as null in TLSProtocolSocketFactory's getPKIXResolver() method to create StaticPKIXValidationInformatonResolver, the constructor of this class reinitialized the trustedNames collection to an empty collection.Changing the line from if(trustedNames == null) to if(trustedNames == null || trustedNames.isEmpty()) fixed the problem for me.
I'm trying to set up WebSockets with spring-messaging using stomp, and using redis-backed sessions with spring-session. Our application context is wired via xml, and spring-session is working with the non-websocket portion of the application. The relevant config for websocket is as follows
<websocket:message-broker application-destination-prefix="/streaming" >
<websocket:stomp-endpoint path="/data">
<websocket:sockjs session-cookie-needed="false" />
</websocket:stomp-endpoint>
<websocket:stomp-broker-relay prefix="/topic" relay-host="${jms_hostname}" relay-port="${jms_stomp_port}" />
<websocket:client-inbound-channel>
<websocket:interceptors>
<ref bean="sessionRepoMessageInterceptor"/>
<ref bean="authenticationValidationInterceptor" />
<ref bean="selectorValidationInterceptor" />
<ref bean="selectorQuotingInterceptor" /> <!-- comes after we have validated the selector, we now shim it so JMS understands it -->
</websocket:interceptors>
</websocket:client-inbound-channel>
</websocket:message-broker>
I have defined what I think are the necessary beans for spring-session's integration with web sockets here:
<bean id="redisSessionBackedWebsocketHandler" class="org.springframework.session.web.socket.server.">
</bean>
<bean id="sessionRepoMessageInterceptor" class="org.springframework.session.web.socket.server.SessionRepositoryMessageInterceptor">
</bean>
<bean id="webSocketRegistryListener" class="org.springframework.session.web.socket.handler.WebSocketRegistryListener">
</bean>
but I'm not sure where I would wire them in to the web socket configuration, and have not been able to find any doc on how to do it this way.
Thoughts?
The Spring Session WebSocket contains the config just only for the Java & Annotation variant.
And according to the Spring Session Docs the AbstractSessionWebSocketMessageBrokerConfigurer does the stuff for seamless integration between Spring Session and Spring WebSockets. However there we can see some paragraph, what it does:
To hook in the Spring Session support, we need to ensure ...
To be honest it isn't so easy to configure that stuff from XML.
Feel free to follow with the issue: https://github.com/spring-projects/spring-session/issues/101
I'm authentication jasper server 5.6 to ldap active directory.ldapAuthenticationProvider bean configurations are ok.(userDnPatterns working).but server couldn't search in usersearch bean.this is my userSearch configuration.Am I correctly put values to constructor-arg ?
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0"><value>(sAMAccountName={0})</value></constructor-arg>
<constructor-arg index="1"><value>sAMAccountName={0},ou=IT Service Accounts</value></constructor-arg>
<constructor-arg index="2"><ref local="ldapContextSource"/></constructor-arg>
<property name="searchSubtree"><value>true</value></property>
</bean>
Thanks !
You should not use "sAMAccountName" as first parameter (index=0), as that parameter is the Directory search base.
If you want to use the default search base, leave the value blank.
Now, the second parameter, tells jasper (or any app that uses the FilterBasedLdapUserSearch method) how to search for the user, and what user should the app use to finally bind to the directory.
The fiter you specified on "index=1" would only work if AD has users DN's in the form:
DN: sAMAccountName=user,ou=IT Service Accounts, .....
Now, AD's default user DN's are more like: "CN=Full Name,CN=Users,....", so, in your case, you should be using only (sAMAccountName={0}) in the "FilterBasedLdapUserSearch" method, and then modify "LdapAuthenticationProvider" method to specify "userDnPatterns", like this:
<bean id="ldapAuthenticationProvider"
class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg><bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userDnPatterns"/>
<list> <value>CN={0},ou=IT Service Accounts</value> </list> </bean> </bean>
Of course, you should match this more closely to your setup, this is only an example.
Currently I understand that we can use org.apache.tools.ant.filters.ReplaceTokens to replace the contents of a file during build in the following way.
myBeans.xml:
<bean id="mybean1" class="com.test.MyClass1" >
<property name="myprop1" value="#myproperty#" />
</bean>
my.properties:
myprop=testme
gradle file:
from file("myBeans.xml"), {
filter(ReplaceTokens, tokens: ["myproperty": project.properties["myprop"]])
}
However I would want gradle to find the property names from my.properties file and replace it in the xml file (without mentioning myprop in the filter). If not, I would have to add all the PlaceHolders manually.
you can pass properties as a map to the ReplaceTokens configuration. The key must match the token you want to see replaced. Example:
beans.xml:
<bean id="mybean1" class="com.test.MyClass1" >
<property name="myprop1" value="#myproperty#" />
</bean>
my.properties:
myproperty=testme
build.gradle:
task myCopy(type:Copy){
from "bean.xml"
into ("$buildDir/beans")
def myProps = new Properties()
file("my.properties").withInputStream{
myProps.load(it);
}
filter(org.apache.tools.ant.filters.ReplaceTokens, tokens: myProps)
}
hope that helped.
cheers,
René