It's difficult to manage these type of configurations. As far as a self-contained application is concerned, we typically use the POM as the central source for the configuration of the application. This means that any datasources etc. get fed their properties via a Maven filter. So a password (like the one to connect to an internal DB) is filtered and added to our application's resources. The POM and relevant configuration files contain the passwords in clear text within the application build. There doesn't seem to be an elegant solution for this...
Even if we manage to ask the user for a private password to an internal DB, we typically want to store that hashed password somewhere. We can't put the hashed password in the DB for which it's for or we will never be able to connect to retrieve it. So, we usually use java.util.prefs.Preferences to store the hashed password... That introduces maintenance overhead because that still requires us to programmatically update the configuration every time the application starts because it's still using the configuration that is within the build (i.e. other non-application dependencies that require the configuration file(s)). -----Original Message----- From: Ron Wheeler [mailto:rwhee...@artifact-software.com] Sent: Thursday, May 24, 2012 10:22 AM To: users@maven.apache.org Subject: Re: How can I eliminate these embedded username and password entries? We have done a lot of single sign-on implementations over the years. Mostly around getting access to remote servers to launch instructional content from an LMS or getting transparently logged into remote LMS portals. There are lots of "standard" ways to do this which is almost as bad as not having standards. A little off topic for the Maven list. Ron On 24/05/2012 8:23 AM, Will Hoover wrote: > Yeah, the last option where we have the user provide a password is where > we're currently headed. Thanks for your input! > > -----Original Message----- > From: Ron Wheeler [mailto:rwhee...@artifact-software.com] > Sent: Wednesday, May 23, 2012 2:21 PM > To: users@maven.apache.org > Subject: Re: How can I eliminate these embedded username and password > entries? > > I used invisible ink. > > You are right that the passwords are in clear text in the JNDI but they > are in a place where they are not supposed to be visible to anyone > except the system administrator. > > For desktop applications, you can embed the passwords in the code and > hope that the customers do not reverse engineer or you can provide a > service that the desktop client can call to get a password from your > server to use to unlock the database on their workstation. > > If your installation procedure can get a password from the user and use > that for the database, then you are at least giving the user a private > password that will not be any good on another client's database. > > It all depends on what use case you are trying to handle. > > Ron > > On 23/05/2012 12:18 PM, Will Hoover wrote: >> Was there a reply in there that I'm overlooking? >> >> -----Original Message----- >> From: Ron Wheeler [mailto:rwhee...@artifact-software.com] >> Sent: Wednesday, May 23, 2012 11:50 AM >> To: users@maven.apache.org >> Subject: Re: How can I eliminate these embedded username and password >> entries? >> >> On 23/05/2012 10:33 AM, Will Hoover wrote: >>> Great posts! Thank you! My only concern with the proposed solutions are >> the >>> following: >>> >>> 1) Remote resources, scripts, etc. are great for internal network >>> deployments (or "ships") such as web applications, but what about desktop >> or >>> mobile applications that are self contained? >>> 2) Even with JNDI and other solutions... at some point the passwords > still >>> reside in clear-text format, right? >>> >>> BTW, I agree that this should be outside the scope of Maven >>> responsibilities. I'm just looking for input from other Maveneers and > what >>> measures they have taken to tackle this issue :) >>> >>> -----Original Message----- >>> From: Ron Wheeler [mailto:rwhee...@artifact-software.com] >>> Sent: Wednesday, May 23, 2012 9:54 AM >>> To: users@maven.apache.org >>> Subject: Re: How can I eliminate these embedded username and password >>> entries? >>> >>> This has come up so often I wrote some blogs on it. >>> >>> http://blog.artifact-software.com/tech/?tag=jndi >>> >>> On 23/05/2012 9:05 AM, Barrie Treloar wrote: >>>> On Wed, May 23, 2012 at 10:23 PM, Will Hoover<java.whoo...@gmail.com> >>> wrote: >>>>> This is an interesting topic of interest. We would like to do a similar >>> thing with our DB passwords that are in our POMs. Are there any other >>> options other than the ones described? >>>> Search the archives. >>>> External Resources used at Runtime (rather than build time) are either >>>> stored in JNDI or in property files which are loaded on the classpath. >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: users-h...@maven.apache.org >>>> >>>> > -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
