edvin / fxlauncher

Auto updating launcher for JavaFX Applications
Apache License 2.0
714 stars 110 forks source link

Can pass hidden parameters (passwords) by fxlauncher? #150

Open TioCoding opened 5 years ago

TioCoding commented 5 years ago

Hello, I am using 'jasypt-spring-boot' for the encryption of some passwords within my application, but I need to pass a general password so that I can decrypt the strings.

I tried passing it through applicationParameters in the build.gradle in this way:

applicationParameters '--user.password=$password.secret'

The value of 'password.secret' I enter when packaging the application

But I have a problem with this, is that in the 'app.xml' file you see the password and that gives me insecurity:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Application ts="1548827001994" uri="http://fxldemo.tornado.no/" launch="no.tornado.FxlDemo">
    <lib file="controlsfx.jar" checksum="499123426" size="996389"/>
    <lib file="fxldemo-gradle-1.0.jar" checksum="2202848166" size="2352"/>
    <updateText>Updating...</updateText>
    <updateLabelStyle>-fx-font-weight: bold;</updateLabelStyle>
    <progressBarStyle>-fx-pref-width: 200;</progressBarStyle>
    <wrapperStyle>-fx-spacing: 10; -fx-padding: 25;</wrapperStyle>
    <parameters>--user.password=12345</parameters> <!-- This is not safe -->
    <acceptDowngrade>false</acceptDowngrade>
    <stopOnUpdateErrors>false</stopOnUpdateErrors>
    <lingeringUpdateScreen>false</lingeringUpdateScreen>
</Application>

Is there any way to pass the password and that no user can see it?

I'm using fxlauncher-gradle-plugin

Thanks and regards.

edvin commented 5 years ago

If you embed the password with the application I'm not sure it has the desired security effect you're after. Maybe you could ask the user for the password on first run and store it encrypted or at least as safe as possible after that? I don't see any solution where embedding the password within the application gives any real security.

TioCoding commented 5 years ago

This is mainly to encrypt the IP within the application and can prevent users from hitting the server with many requests using 'Apache JMeter' or some other program.

Also to encrypt the POST, GET, PUT, DELETE requests and prevent them from intercepting them while sending this information.

Do you know any solution to these two operations? Thank you.

mordechaim commented 5 years ago

For the first problem use rate limiting and prevent connection if requesting ip made too many request within a set inteval.

The second problem can be fixed by using https; don't reinvent the wheel.

TioCoding commented 5 years ago

Thanks for the recommendations @mordechaim , but I have one last doubt. In my application I use an file database (H2) where I enter a username and password for a configuration file:

spring.datasource.username=username
spring.datasource.password=secret

I used Jasypt to encrypt the password, but this forces me to pass a password like my initial question. How could I solve this?

Thank you and regards.

edvin commented 5 years ago

If you include the username/password that sounds like the same as not having a username/password at all. You could either remove, hard code, or simply include a property file with the credentials, since this doesn't really offer any real security either.