microsoft / credential-secure-storage-for-java Goto Github PK

Secure storage for credentials in platform-provided credential managers.

License: MIT License

Java 100.00%

credential-secure-storage-for-java's Introduction

Credential Secure Storage for Java

Unified interface to store Java application secrets on different platforms backed by built-in credential managers.

The library is derivative work from Visual Studio Team Services Authentication Library for Java (Preview), auth-secure-storage module in particular, focusing on secure storage only.

What this library provides

This library provides a set of secure storage providers that store retrieved secrets, as well as In memory insecure storage.

Available Secure Storage Providers:

Secret Type	Windows (Credential Manager)	Linux (GNOME Keyring v2.22+/Libsecret)	Mac OSX (Keychain)
Username / Password Credentials (`StoredCredential`)	Yes	Yes	Yes
OAuth2 Access/Refresh Token (`StoredTokenPair`)	Yes (On Windows 7, 8/8.1 and 10)	Yes	Yes
Personal Access Token (`StoredToken`)	Yes	Yes	Yes

How to use this library

Maven is the preferred way to referencing this library.

  <dependency>
    <groupId>com.microsoft</groupId>
    <artifactId>credential-secure-storage</artifactId>
    <version>1.0.0</version>
  </dependency>

Here is sample code for credentials that shows how to use this library.

How to build

JDK 11
Maven 3.8+
mvn clean verify

License

The MIT license can be found in LICENSE.txt See the NOTICE.txt file for required notices and attributions.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.

credential-secure-storage-for-java's People

Contributors

Stargazers

Watchers

Forkers

test-mass-forker-org-1 asbaharoon torebal czmdav mjp91

credential-secure-storage-for-java's Issues

Accordance with Azure SDK for Java Guidelines

Can the team please review the Azure SDK Guidelines for Java Libraries, and identify what needs to be addressed to bring consistency with the other Azure SDKs already published on Maven Central?

// @JonathanGiles

Recovering a credentials inside Windows Service not works

If execute the sample from power shell like:

java -jar <JAR_FILE> works ok

But if execute the same jar file as a windows service I can't recover the same credentials.

What is the problem?

Secure credentials encoding issue on Mac

Thanks for implementing this library, it's really useful! 🎉

I have bumped into a small issue while using it on Mac: if the username or the password contains any special characters, they are not stored and retrieved correctly. E.g. if I store the username "täst", it retrieves this string: 0x74C3A47374 "t\303\244st

My macOS version is Sonoma 14.0.

Here is the code that I use to store the credentials:

fun storeAccount(accountKey: String, urlKey: String, settings: ServerConfiguration) {
    val credentialStorage = StorageProvider.getCredentialStorage(true, StorageProvider.SecureOption.REQUIRED)
    val storedSettings = Settings()

    if (settings.url.isEmpty()) {
        storedSettings.remove(urlKey)
        credentialStorage.delete(accountKey)
        return
    }

    storedSettings.putString(urlKey, settings.url)
    if (settings.username.isEmpty()) {
        credentialStorage.delete(accountKey)
        return
    }

    val credentialsToStore = StoredCredential(settings.username, settings.password.toCharArray())
    credentialStorage.add(accountKey, credentialsToStore)
}

This is used to load them:

fun getAccount(accountKey: String, urlKey: String): ServerConfiguration {
    val storedSettings = Settings()
    val url = storedSettings.getString(urlKey, "")
    val credentialStorage = StorageProvider.getCredentialStorage(true, StorageProvider.SecureOption.REQUIRED)
    val credential: StoredCredential? = credentialStorage.get(accountKey)
    val username = credential?.username ?: ""
    val password = (credential?.password ?: CharArray(0)).joinToString("")
    return ServerConfiguration(url, username, password)
}

I also tested on Windows and there it worked without issues. (Not sure about Linux as I didn't manage to get it running at all due to some strange NPEs, I'm still looking into that.)

Make StoredSecret AutoCloseable

StoredSecret interface looks like a good candidate to be AutoCloseable. So instead of this abomination from the sample code

private void userLogin() {
    log.info("Authenticating a user");

    final StoredCredential enteredCredential = enterCredentials();
    StoredCredential storedCredential = null;

    try {
        // Save the credential to the store.
        storedCredential = credentialStorage.get(CREDENTIALS_KEY);

        if (storedCredential.equals(enteredCredential)) {
            log.info("User logged in successfully.");
        } else {
            log.info("Authentication failed.");
        }
    } finally {
        // clear password value
        enteredCredential.clear();

        if (storedCredential != null) {
            storedCredential.clear();
        }
    }
}

you could write this beauty

private void userLogin() {
    log.info("Authenticating a user");

    try (StoredCredential enteredCredential = enterCredentials();
         StoredCredential storedCredential = credentialStorage.get(CREDENTIALS_KEY)) {

        if (storedCredential.equals(enteredCredential)) {
            log.info("User logged in successfully.");
        } else {
            log.info("Authentication failed.");
        }
    }
}

Is this project still maintained?

I'm glad to see this was extracted from https://github.com/microsoft/vsts-authentication-library-for-java but there haven't been updates since Mar. last year.

StoredCredential with empty string username causes exception

The following code throws a NullPointerException if an empty string ("") is used for username. The code works fine if a non-empty string is used. Tested on Windows 10 using OpenJDK 15 only.

Expected behavior would be eighter:
a) Don't accept "" in StoredCredential constructor
b) (preferred) Don't throw an exception during store.get() to enable storing passwords/secrets without a username.

com.microsoft.credentialstorage.SecretStore<StoredCredential> store = StorageProvider.getCredentialStorage(true, StorageProvider.SecureOption.REQUIRED);
String username = "";
store.add("dummy", new StoredCredential(username, "xxx".toCharArray()));
try {
    store.get("dummy");
} catch (Exception e) {
    e.printStackTrace();
}