Where should I store credentials for my java application to access third party services?

The credentials are not specific per user on my application. They are for accessing a web service my application is consuming. I know enough not to hard code them into my application, but where and how do I store them? I also assume they will need to be encrypted.

.jar file is best way to store all credentials.

1. Create interface where store your credentials as a final String
2. convert interface to jar file
3. Add that jar file in your build path
4. Implement this interface where u use credentials, and access String object in which u stored credentials.

• Db
• .properties file
• configuration class with constant

Spring have nice functionality with @Value annotation that can auto-magically inject value from .properties file (under resources folder) with a given key.

I use that because in my case I have different key values in multiple app instances and db would require little more complexity, and furthermore I don't make unnecessary queries to db.

On security basis if attacker can read files on your server than he can easily read your db so that don't play a part here. It can be stored in any file on the system.

On the other hand you can have configuration class with

public static final String SECRET_KEY = "someKey"

To build upon @Zildyan's answer, comments and references to other answers.

There are a few options for where to store:

• Database
• Properties file
• Constant (hard coded)
• File system (away from application)

As for how to store:

Depending upon sensitivity. Credentials could be stored in plain text (low sensitivity) or should be encrypted (high sensitivity).

It should also be noted that using a combination of encryption and separating the credentials from the source you would restrict internal access to the credentials.

Some examples

• a password stored in plain text may be added to source control and read by anyone with access to the source control.
• An encrypted password with decryption code would be easily available to anyone able to run the code.
• A plain text file stored on the server may be accessible to anyone with access to the server.
• An encrypted file stored on the file system may only be accessible to sys admins and the decryption method available to devs.

The same goes for storing in a database and who has access to that database.

JNDI

Per Wikipedia:

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name.

Your enterprise likely has a JNDI-compatible directory service established. You would ask the sysadmin to include an entry for your particular credentials.

If you are self-administering, then your Java EE (now Jakarta EE) should have a JNDI-compatible server built-in. Learn to configure it, and add the entry for your particular credentials.