Security #
The diego.security packages contains some useful classes for handling common tasks related with securing your application.
Token generator #
The TokenGenerator class contains functions for generating random strings of characters for things such as temporary passwords, API keys and authentication tokens.
String genereateTemporaryPassword() {
return TokenGenerator.generate(TokenGenerator.CharacterLibrary.ALPHANUMERIC, 16) // => wjSBJGoPBY3JVots
}
Encryption/decryption #
The Encrypt class contains functions for hashing values and encrypting and decrypting string data using AES 128-bit encryption.
@Inject Encrypt encrypt
String encryptedPassword = encrypt.encrypt("password") // => vs8rv2R08vy/2OoZMBY69w==
Hashing #
Use the Encrypt class to create hashes for your data as well:
String hash = encrypt.hash("password") // => 2e2b24f8ee40bb84...
This creates a SHA256 hash, salted with the app.security.secret value. If you would like to create a plain hash, use the static Encrypt.sha256() method. Useful for asset fingerprinting.
âš Important: Remember to change the app.security.secret setting in production.
Configuration #
Store your secret key in env.properties and don’t check this file in to version control:
# env.properties
secret_key=secret
# application.conf
diego.security.secret = ${secret_key}
Notes:
- The
Encryptutility class requiresdiego.security.keyto be set before it can be used.
Next User Authorization