joss | The Journal of Open Source Software | Machine Learning library

I was thinking that, because the Secret key and salt are stored in the code, it is possible that the code can be reverse compiled to get these values.

Correct. AES encrypting that password accomplishes almost nothing, and in fact makes things worse: It looks encrypted (because it is), and one would assume the persons doing the encryption wouldn't be so incredibly dense as to leave the key right there next to the password file.

Except that it is effectively right there (they'd have to decompile the class files but that's not difficult and cannot be made difficult), so you've created the wrong impression.

Your security team needs to give you threat models to work with, they can't just say "do not read password from file", because that is impossible. Why can you not do that? What avenue of attack do they want to mitigate?

Examples:

• I do not want a syadmin casually cat-ing that file and thus smearing the password all over their screen and in their terminal app's history buffers for anybody to just shouldersurf.

ANSWER: Just base64 it. Yes, it's not crypto at all, but at least it makes no bones about it: Folks will see its base64 and assuming they aren't idiots know that means the password is right there. But it's protected against shouldersurfing and 'accidental' recollection (where someone has seen it with their eyes and may therefore just remember it even if they don't intend to). Someone has to go out of their way to unbase64 it, and if the rules say you can't do that, at least you've now forced an employee to outright break rules and potentially be committing a crime.

• I'm afraid someone will hack the server just barely enough to make it read files and echo them to the hacker.

Then the base64 thing does nothing, nor does the AES plan (as they can also make your webserver cat its own jars and class files, probably). One solution can be that the script that starts the server reads the file (and is root-operated, running the server under a webserver account) - that script reads the password (thus allowing you to make that file owned by root and unreadable by the webserver account), passes it as argument or environment var. Of course, this requires that you consider the risk of leaking an env var as considerably lower than a text file. Which is certainly possible. Alternatively, the script can write the password in a plain text file readable by the webserver user, and the webserver will read it, then delete the file. This isn't common, but it shows the point of threat models: Once you know what you're fighting, you can come up with a plan and execute accordingly.

• I want to use JBoss Password Vault

That is not sensible security policy: That is not a threat model. JPV doesn't solve any of these problems, to boot.

• I want a hacker that gains full access to the box, including root and/or write-access for the webserver user to not be able to use that as a springboard to hack the DB.

This is impossible, if the security team tells you this is the threat they need you to mitigate, you can tell them to go fetch Harry Potter's magic wand, because without it, you can't deliver. The hacker can simply rewrite your own classes/jars into sending the password to the hacker's servers, for example. This is strongly indicative your security team doesn't know how to do their job: They think of risks no matter how unlikely and demand it is 'protected against' (not really a thing; you can reduce and mitigate, security isn't black and white) without considering threat models or tradeoffs.

Get them educated, or decide to lie to them. You can't win when they act like this otherwise. Go over their heads maybe and get the boss involved.

• I want a hacker that manages to obtain a clone of the entire disk to not be able to access the DB.

Doable, but tricky. One easy way is that the server won't know the password either and will boot in an admin-only-mode, where the admin types the db password into a form which then unlocks the server to run properly. The server can then retain this password in memory only, thus foiling any disk copies. Except, you better turn of swap or store that on a different disk!

If you don't want that manual action, there's TPM chips (windows/linux systems generally) or T2 (apple). I don't know of any java-accessible tools that can do this, or DBs that can. These kinds of algorithms require a challenge/response model, you can't just 'store a password' in these in a meaningful way.

Ask the security team for a budget of 80k or so. If they balk, well, they've learned something. Security is a game of tradeoffs.

The issue was not that obvious but easy to solve. While initializing the gmail.NewService() I needed to pass the config parameter as option, just like the previous implementation of gmail.New() was using

So before was

This is because posts is a JSON object and not an array that you can use the map() function with. Instead, you need to give the array to the map() function before you can pull out the titles.

To access the array of the JSON object, you can use posts['data'].

In Python you can get the highest value in a list (or in an iterable in general) with the built-in function max:

You need to iterate through each list:

Put a context_object_name = 'tutor' in your DetailView class!

Building on an answer given here, You can do the following:

Try:

Firstly filter out columns:

Any specific reason for casting your response to Map. A List should work just fine.

This should work as well: