在Java EE中安全地存储SMTP凭据
[英]Securely Storing SMTP Credentials in Java EE
问题描述
I have a Java EE application running on GlassFish 4 / Java 8 (x64). 
我有一个在GlassFish 4 / Java 8(x64)上运行的Java EE应用程序。 Development is on a Windows machine, but it will eventually be ported to Linux (either Red Hat or Ubuntu). 开发是在Windows机器上,但最终将移植到Linux(Red Hat或Ubuntu)。 In that application I have the requirement to send email messages from an SMTP server requiring user authentication and I'm using JavaMail to perform the connection and send the email messages. 在该应用程序中,我需要从需要用户身份验证的SMTP服务器发送电子邮件,并且我正在使用JavaMail执行连接并发送电子邮件。 These emails are sent on behalf of the system during successful user registration, password reset requests, etc. The user initiating the action, therefore, will not have the credentials to send the email. 在成功的用户注册,密码重置请求等期间,代表系统发送这些电子邮件。因此,发起操作的用户将不具有发送电子邮件的凭证。 The same email credentials are used for all such actions, and the email account in question is dedicated for this use. 所有此类操作都使用相同的电子邮件凭据,并且相关的电子邮件帐户专用于此用途。
The approaches which immediately come to mind are to store the sending email account username and plaintext password in a database or some other data store, or to hard code the username and plaintext password in the Java EE application. 立即想到的方法是将发送电子邮件帐户用户名和明文密码存储在数据库或其他一些数据存储中,或者硬编码Java EE应用程序中的用户名和明文密码。 This has an obvious security risk typically associated with storing passwords in the clear. 这具有明显的安全风险,通常与以明文形式存储密码相关联。
There are variations on this, where I could store an encrypted version of the password in either the database or hard coded in the application. 这有各种变化,我可以在数据库中存储密码的加密版本,或者在应用程序中硬编码。 At that point, I'm back to finding a method to storing the key to decrypt password. 那时,我又找回了一种存储密钥来解密密码的方法。
What methods exist to securely managing such credentials in Java EE? 在Java EE中安全地管理此类凭据有哪些方法? Am I stuck with storing this in plain text? 我是否坚持用纯文本存储?
1 个解决方案
解决方案1
3 已采纳 2014-07-28 06:18:55
First, you mean "Java EE", there is nothing named "JEE" . 首先,你的意思是“Java EE”, 没有任何名为“JEE”的东西 。
The typical way to do this is to configure a JavaMail Session as an administered object in the application server (GlassFish in this case), and look up or inject that Session in your application. 执行此操作的典型方法是将JavaMail会话配置为应用程序服务器中的受管对象(在本例中为GlassFish),并在应用程序中查找或注入该Session。 The configuration of the Session will include the username and password. 会话的配置将包括用户名和密码。 That keeps the password out of your application, but it will be accessible to anyone who can read the GlassFish files on the server. 这会将密码保留在您的应用程序之外,但任何能够读取服务器上的GlassFish文件的人都可以访问它。 To further secure it, you can store the password in the keystore, reference it from the Session configuration using a password alias, and set a master password for GlassFish to protect the keystore. 为了进一步保护密码,您可以将密码存储在密钥库中,使用密码别名从会话配置中引用密码,并为GlassFish设置主密码以保护密钥库。 I'm sure you'll find further details in the GlassFish documentation; 我相信你会在GlassFish文档中找到更多细节; sorry, I don't have a link handy. 对不起,我没有方便的链接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.