问题
Similarly to browsers, my application needs to save locally some password to save user the pain entering it every time. So it happens that it's likely scam applications might put an effort to retrieve this password from my program's configuration files.
I seek a way to avoid it - ideally by commanding OS to only provide my password to my program and no other. As I think about this, it seems like impossible task. Whatever my application can access, any other application can access too.
On Android, there's a security model that allows your application to truly only save data for itself (unless the phone is rooted and malicious program runs under root privilegies).
Any chance this was implemented in Java? Or on Windows where my program is targeted? Again, with the exception of admin account, which can do anything.
Edit: While there's another question about very similar topic, the answer to this question doesn't really explain anything. I hoped for specific Java class names and an example. Especially now, when I failed to use keystore suggested in the answer to the other question.
回答1:
You can use the java-keyring library.
// Password can be stored to key store by using Keyring.setPassword method.
// PasswordSaveException is thrown when some error happened while saving password.
// LockException is thrown when keyring backend failed to lock key store file.
try {
keyring.setPassword("My service name", "My account name", "My password");
} catch (LockException ex) {
Logger.getLogger(Program.class.getName()).log(Level.SEVERE, null, ex);
return;
} catch (PasswordSaveException ex) {
Logger.getLogger(Program.class.getName()).log(Level.SEVERE, null, ex);
return;
}
You could also probably use the keyring api from Netbeans.
来源:https://stackoverflow.com/questions/29116087/where-can-i-store-saved-password-locally-but-securely-in-java