I am very new in Spring framework and I am using Spring framework to manage my database connections and so on. Applicaiton reads my db connection parameters from a property file. The thing I need is to store my connection password in property file as encrypted. Here is my datasource xml file
    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="
       http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="location">
            <value>file:${DBConfigFile}</value>
        </property>
    </bean>
    <bean id="myDataSource"   class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
        <property name="driverClass" value="${jdbc.driverClassName}" />
        <property name="jdbcUrl" value="${jdbc.url}" />
        <property name="user" value="${jdbc.username}" />
        <property name="password" value="${jdbc.password}" />
        <property name="initialPoolSize"><value>3</value></property>
        <property name="minPoolSize"><value>3</value></property>
        <property name="maxPoolSize"><value>50</value></property>
        <property name="idleConnectionTestPeriod"><value>200</value></property>
        <property name="acquireIncrement"><value>1</value></property>
        <property name="maxStatements"><value>0</value></property>
        <property name="numHelperThreads"><value>3</value></property>
    </bean>
</beans>
I am thiking to write the password encrypted to property file and I am wondering if Spring can decrypt it with an algorithm automatically. Is it possible with configuration. Thank you in advance.
Instead of using just the password as input to the hash function, random bytes (known as salt) would be generated for every users' password. The salt and the user's password would be ran through the hash function which produced a unique hash. The salt would be stored alongside the user's password in clear text.
As far I known Spring does not support this ability, but some other project may be helpfull:
Jasypt library offers support for encrypted application configuration (and also integrates with Spring). See details: http://www.jasypt.org/encrypting-configuration.html
OWASP Project provides EncryptedProperties interfaces with DefaultEncryptedProperties and ReferenceEncryptedProperties implementations which may be used in your application. See also: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file
I am using spring 4 and jasypt 1.9. Jasypt documentation does not provide explicit support for spring 4. I could not locate class named EncryptablePropertyPlaceholderConfigurer with org.jasypt:jasypt:1.9.2 dependency either.
I wrote a simple static encryption utility java class (this uses jasypt API).
public class EncryptionUtil {
    static PooledPBEStringEncryptor encryptor = null;
    static {
        encryptor = new PooledPBEStringEncryptor();
        encryptor.setPoolSize(4); 
        //  There are various approaches to pull this configuration via system level properties. 
        encryptor.setPassword("parashar");
        encryptor.setAlgorithm("PBEWITHMD5ANDDES");
    }
    public static String encrypt(String input) {
        return encryptor.encrypt(input);
    }
    public static String decrypt(String encryptedMessage) {
        return encryptor.decrypt(encryptedMessage);
    }
}
I used this utility to encrypt the passwords I intended to keep in my property files.
I then simply used spring EL to decrypt the properties back in my spring config xml.
<property name="password" value="#{T(amit.parashar.EncryptionUtil).decrypt('${db.password}')}" />
EDIT : To answer on how to hide the encryption password :
Use system args while bringing up your java process. 
for e.g. : java -Dwhatismyencpawd="parashar"
and use it like
encryptor.setPassword(java.lang.System.getProperty("whatismyencpawd"));
This way only the app admin would know the password. This way password will be visible as part of ps command though on a UNIX box.
or You can configure and read from OS level environment variable as well.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With