API key storage best practices: help from NetBeans?

[Alonso Del Arte <al...@gmail.com>]

This is somewhat of a general Java question, but I do believe it has an
IDE-specific component.

What are the best practices for storing and retrieving API keys in Java
programs? And what help does NetBeans offer for adhering to those best
practices?

Suppose for example that your key for an example widget API is
"555EXAMPLE." You could certainly write "private final static String
API_KEY = "555EXAMPLE";" and then each time you need the key, you write "
API_KEY" where it's needed.

String query = "https://www.example.com/api/q=" + sendParams + "&key=" +
API_KEY;
URL queryURL = new URL(query);
HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection();
conn.setRequestMethod("POST");
// etc.

But then I might forget about the API key and upload the source file to a
public GitHub repository (maybe GitHub would alert us, but I don't know for
sure).

I suppose I could store the API key in a file or folder listed in the Git
Ignore, and then create a class to store and retrieve API keys, but that
would probably feel like I'm reinventing the wheel...

Alonso del Arte
Author at SmashWords.com
<https://www.smashwords.com/profile/view/AlonsoDelarte>
Musician at ReverbNation.com <http://www.reverbnation.com/alonsodelarte>

Re: API key storage best practices: help from NetBeans?

[Emilian Bold <em...@gmail.com>]

> ¿Does netbeans provide a "keyring" of some sorts where user
credentials are stored, and is such a store accessible through an API?

http://bits.netbeans.org/dev/javadoc/org-netbeans-modules-keyring/overview-summary.html

> Actually this has nothing to do with IDEs and am not aware of any that
integrate with such functionality.

But if GitHub is able to show users some warning about leaking secretes,
surely the IDE can also do something in this area?

Right now NetBeans does not touch this, but I think it could.

--emi


On Sat, May 23, 2020 at 6:23 AM Juan Algaba <ja...@colef.mx> wrote:

> > And what help does NetBeans offer for adhering to those best practices?
>
> I'm currently developing new features to an existing FTP netbeans
> plugin and currently store the password as plain text.
> ¿Does netbeans provide a "keyring" of some sorts where user
> credentials are stored, and is such a store accessible through an API?
> My guess is that there is one because NB remembers my remote
> repository credentials.
>
> On Fri, May 22, 2020 at 4:58 PM Scott Palmer <sw...@gmail.com> wrote:
> >
> > Or if you are less paranoid, store and retrieve it with the Java
> Preferences API. Encrypt it so it isn’t stored in plaintext.  The User
> preferences should be isolated from other user’s access.  If your software
> requires a user to authenticate in any way, use that authentication in the
> encryption so there are no hard coded keys in the code.
> >
> > Scott
> >
> > On May 22, 2020, at 7:42 PM, Daoud Abdelmonem Faleh <
> abdelmonem.faleh@gmail.com> wrote:
> >
> > 
> > Actually this has nothing to do with IDEs and am not aware of any that
> integrate with such functionality.
> >
> > The general consensus for managing users secrets (API keys, Databases
> credentials,...) is to use a secrets management system.
> > Many of the public clouds providers have this kind of service (AWS
> Secrets Manager, GCP secrets manager, Azure Key Vault, ...) if you're on
> premises opensource tools do exist (Hashicorp vault, Square Keywhiz).
> Spring framework seems to support many of them.
> > Github do have a secrets scanning tool that recognize many of public
> APIs. Other tools are available to scan source code for secretes and can be
> configured as pre-commit hook (Yelp Detect Secrets come to mind).
> >
> > HTH,
> > --Daoud
> >
> > On Fri, May 22, 2020 at 10:27 PM Alonso Del Arte <
> alonso.delarte@gmail.com> wrote:
> >>
> >> This is somewhat of a general Java question, but I do believe it has an
> IDE-specific component.
> >>
> >> What are the best practices for storing and retrieving API keys in Java
> programs? And what help does NetBeans offer for adhering to those best
> practices?
> >>
> >> Suppose for example that your key for an example widget API is
> "555EXAMPLE." You could certainly write "private final static String
> API_KEY = "555EXAMPLE";" and then each time you need the key, you write
> "API_KEY" where it's needed.
> >>
> >> String query = "https://www.example.com/api/q=" + sendParams + "&key="
> + API_KEY;
> >> URL queryURL = new URL(query);
> >> HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection();
> >> conn.setRequestMethod("POST");
> >> // etc.
> >>
> >> But then I might forget about the API key and upload the source file to
> a public GitHub repository (maybe GitHub would alert us, but I don't know
> for sure).
> >>
> >> I suppose I could store the API key in a file or folder listed in the
> Git Ignore, and then create a class to store and retrieve API keys, but
> that would probably feel like I'm reinventing the wheel...
> >>
> >> Alonso del Arte
> >> Author at SmashWords.com
> >> Musician at ReverbNation.com
>
>
> --
>
> - Juan Algaba
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: users-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>

Re: API key storage best practices: help from NetBeans?

[Juan Algaba <ja...@colef.mx>]

> And what help does NetBeans offer for adhering to those best practices?

I'm currently developing new features to an existing FTP netbeans
plugin and currently store the password as plain text.
¿Does netbeans provide a "keyring" of some sorts where user
credentials are stored, and is such a store accessible through an API?
My guess is that there is one because NB remembers my remote
repository credentials.

On Fri, May 22, 2020 at 4:58 PM Scott Palmer <sw...@gmail.com> wrote:
>
> Or if you are less paranoid, store and retrieve it with the Java Preferences API. Encrypt it so it isn’t stored in plaintext.  The User preferences should be isolated from other user’s access.  If your software requires a user to authenticate in any way, use that authentication in the encryption so there are no hard coded keys in the code.
>
> Scott
>
> On May 22, 2020, at 7:42 PM, Daoud Abdelmonem Faleh <ab...@gmail.com> wrote:
>
> 
> Actually this has nothing to do with IDEs and am not aware of any that integrate with such functionality.
>
> The general consensus for managing users secrets (API keys, Databases credentials,...) is to use a secrets management system.
> Many of the public clouds providers have this kind of service (AWS Secrets Manager, GCP secrets manager, Azure Key Vault, ...) if you're on premises opensource tools do exist (Hashicorp vault, Square Keywhiz). Spring framework seems to support many of them.
> Github do have a secrets scanning tool that recognize many of public APIs. Other tools are available to scan source code for secretes and can be configured as pre-commit hook (Yelp Detect Secrets come to mind).
>
> HTH,
> --Daoud
>
> On Fri, May 22, 2020 at 10:27 PM Alonso Del Arte <al...@gmail.com> wrote:
>>
>> This is somewhat of a general Java question, but I do believe it has an IDE-specific component.
>>
>> What are the best practices for storing and retrieving API keys in Java programs? And what help does NetBeans offer for adhering to those best practices?
>>
>> Suppose for example that your key for an example widget API is "555EXAMPLE." You could certainly write "private final static String API_KEY = "555EXAMPLE";" and then each time you need the key, you write "API_KEY" where it's needed.
>>
>> String query = "https://www.example.com/api/q=" + sendParams + "&key=" + API_KEY;
>> URL queryURL = new URL(query);
>> HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection();
>> conn.setRequestMethod("POST");
>> // etc.
>>
>> But then I might forget about the API key and upload the source file to a public GitHub repository (maybe GitHub would alert us, but I don't know for sure).
>>
>> I suppose I could store the API key in a file or folder listed in the Git Ignore, and then create a class to store and retrieve API keys, but that would probably feel like I'm reinventing the wheel...
>>
>> Alonso del Arte
>> Author at SmashWords.com
>> Musician at ReverbNation.com


--

- Juan Algaba

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@netbeans.apache.org
For additional commands, e-mail: users-help@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: API key storage best practices: help from NetBeans?

[Scott Palmer <sw...@gmail.com>]

Or if you are less paranoid, store and retrieve it with the Java Preferences API. Encrypt it so it isn’t stored in plaintext.  The User preferences should be isolated from other user’s access.  If your software requires a user to authenticate in any way, use that authentication in the encryption so there are no hard coded keys in the code. 

Scott

> On May 22, 2020, at 7:42 PM, Daoud Abdelmonem Faleh <ab...@gmail.com> wrote:
> 
> 
> Actually this has nothing to do with IDEs and am not aware of any that integrate with such functionality.
> 
> The general consensus for managing users secrets (API keys, Databases credentials,...) is to use a secrets management system.
> Many of the public clouds providers have this kind of service (AWS Secrets Manager, GCP secrets manager, Azure Key Vault, ...) if you're on premises opensource tools do exist (Hashicorp vault, Square Keywhiz). Spring framework seems to support many of them.
> Github do have a secrets scanning tool that recognize many of public APIs. Other tools are available to scan source code for secretes and can be configured as pre-commit hook (Yelp Detect Secrets come to mind).
> 
> HTH,
> --Daoud
> 
>> On Fri, May 22, 2020 at 10:27 PM Alonso Del Arte <al...@gmail.com> wrote:
>> This is somewhat of a general Java question, but I do believe it has an IDE-specific component.
>> 
>> What are the best practices for storing and retrieving API keys in Java programs? And what help does NetBeans offer for adhering to those best practices?
>> 
>> Suppose for example that your key for an example widget API is "555EXAMPLE." You could certainly write "private final static String API_KEY = "555EXAMPLE";" and then each time you need the key, you write "API_KEY" where it's needed.
>> 
>> String query = "https://www.example.com/api/q=" + sendParams + "&key=" + API_KEY;
>> URL queryURL = new URL(query);
>> HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection();
>> conn.setRequestMethod("POST");
>> // etc.
>> 
>> But then I might forget about the API key and upload the source file to a public GitHub repository (maybe GitHub would alert us, but I don't know for sure).
>> 
>> I suppose I could store the API key in a file or folder listed in the Git Ignore, and then create a class to store and retrieve API keys, but that would probably feel like I'm reinventing the wheel...
>> 
>> Alonso del Arte
>> Author at SmashWords.com
>> Musician at ReverbNation.com

Re: API key storage best practices: help from NetBeans?

[Daoud Abdelmonem Faleh <ab...@gmail.com>]

Actually this has nothing to do with IDEs and am not aware of any that
integrate with such functionality.

The general consensus for managing users secrets (API keys, Databases
credentials,...) is to use a secrets management system.
Many of the public clouds providers have this kind of service (AWS Secrets
Manager, GCP secrets manager, Azure Key Vault, ...) if you're on premises
opensource tools do exist (Hashicorp vault, Square Keywhiz). Spring
framework seems to support many of them.
Github do have a secrets scanning tool that recognize many of public APIs.
Other tools are available to scan source code for secretes and can be
configured as pre-commit hook (Yelp Detect Secrets come to mind).

HTH,
--Daoud

On Fri, May 22, 2020 at 10:27 PM Alonso Del Arte <al...@gmail.com>
wrote:

> This is somewhat of a general Java question, but I do believe it has an
> IDE-specific component.
>
> What are the best practices for storing and retrieving API keys in Java
> programs? And what help does NetBeans offer for adhering to those best
> practices?
>
> Suppose for example that your key for an example widget API is
> "555EXAMPLE." You could certainly write "private final static String
> API_KEY = "555EXAMPLE";" and then each time you need the key, you write "
> API_KEY" where it's needed.
>
> String query = "https://www.example.com/api/q=" + sendParams + "&key=" +
> API_KEY;
> URL queryURL = new URL(query);
> HttpURLConnection conn = (HttpURLConnection) queryURL.openConnection();
> conn.setRequestMethod("POST");
> // etc.
>
> But then I might forget about the API key and upload the source file to a
> public GitHub repository (maybe GitHub would alert us, but I don't know for
> sure).
>
> I suppose I could store the API key in a file or folder listed in the Git
> Ignore, and then create a class to store and retrieve API keys, but that
> would probably feel like I'm reinventing the wheel...
>
> Alonso del Arte
> Author at SmashWords.com
> <https://www.smashwords.com/profile/view/AlonsoDelarte>
> Musician at ReverbNation.com <http://www.reverbnation.com/alonsodelarte>
>