我应该在哪里存储我的Java应用程序的凭据以访问第三方服务?
我应该在哪里存储我的Java应用程序的凭据以访问第三方服务?
Where should I store credentials for my java application to access third party services?
凭据不是我的应用程序上的每个用户所特定的。它们用于访问我的应用程序正在使用的Web服务。我知道不要将它们硬编码到我的应用程序中,但我在哪里以及如何存储它们?我还假设它们需要加密。
The credentials are not specific per user on my application. They are for accessing a web service my application is consuming. I know enough not to hard code them into my application, but where and how do I store them? I also assume they will need to be encrypted.
构建@Zildyan的答案,评论和对其他答案的引用。
To build upon @Zildyan's answer, comments and references to other answers.
存储 的几个选项:
- 数据库
- 属性文件
- 常量(硬编码)
- 文件系统(远离应用程序) )
- Database
- Properties file
- Constant (hard coded)
- File system (away from application)
至于如何存储:
取决于灵敏度。凭证可以以纯文本格式存储(低灵敏度)或应加密(高灵敏度)。
Depending upon sensitivity. Credentials could be stored in plain text (low sensitivity) or should be encrypted (high sensitivity).
它也应该是请注意,使用加密和从源分离凭据的组合,您将限制对凭据的内部访问。
It should also be noted that using a combination of encryption and separating the credentials from the source you would restrict internal access to the credentials.
一些例子
- 以明文形式存储的密码可能会添加到源文件中任何有权访问源代码管理的人控制和阅读。
- 任何能够运行代码的人都可以轻松获得带有解密代码的加密密码。
- 访问服务器的任何人都可以访问存储在服务器上的纯文本文件。
- 存储在文件系统上的加密文件只能由sys admins和开发人员可用的解密方法访问。
- a password stored in plain text may be added to source control and read by anyone with access to the source control.
- An encrypted password with decryption code would be easily available to anyone able to run the code.
- A plain text file stored on the server may be accessible to anyone with access to the server.
- An encrypted file stored on the file system may only be accessible to sys admins and the decryption method available to devs.
存储在数据库中以及谁有权访问该数据库也是如此。
The same goes for storing in a database and who has access to that database.