Storing username/password on Mac using Java

Asked 7/4, 2009 at 22:12 Answered 8/4, 2009 at 5:27

I'm writing a small program (a twitter client) in Java, aimed at Mac OS X. As part of its functionality, it needs to have a place to store the twitter username/password. The natural place would be the mac keychain, but I can't find any way of accessing it.

Is there any way of accessing the mac keychain from Java, or failing that, what is your recommendation for where to store the username/password instead?

Clothesline answered 7/4, 2009 at 22:12 Comment(0)

There is Java keychain API, in that there's an implementation of KeyStore on OS X backed by the keychain.

I think the keychain is the best place (if not the place) to store the password. It's encrypted with a good algorithm, the user is free to be as permissive or as paranoid over the availability of the keychain to apps as they like, and the password would then be stored with and configured like all of the other passwords the user stores.

Chorion answered 7/4, 2009 at 22:27 Comment(4)

I like this better than Kevin's answer because sometimes you won't be writing a twitter client and you want the paranoid apple password warnings. Cancel or Allow. Cancel or Allow. (vista almost had it right) – Doodlesack 24/10, 2009 at 21:3

I like this one too, for the same reasons. – Impetrate 21/11, 2009 at 16:35

Has anyone tried this? I did and it seems that you can't store a SecretKey with apple.security.KeychainStore - see source code. – Soapbark 1/11, 2012 at 12:55

It's pretty, but it does not work. See mail.openjdk.java.net/pipermail/macosx-port-dev/2014-March/… for test code and RFE. – Puzzle 12/3, 2014 at 9:37

I haven't tried this, but it looks like you can access the key chain with the Apple crypto provider (com.apple.crypto.provider.Apple), creating a KeyStore of type KeychainStore.

Okay, after some experimentation, I was able to access private-key–certificate entries in the KeychainStore. However, passwords in my Keychain did not show up (no alias was listed), and when I tried to add a KeyStore.SecretKeyEntry (which is what you'd need to hold a password) it failed with the message, "Key is not a PrivateKey". Clearly, Apple has not supported SecretKeyEntry.

If you still want to protect your Twitter password through the key chain, I think the closest you can get is to generate an RSA key pair, self-sign a certificate, and add a PrivateKeyEntry to the keychain. Then you can use the key pair to protect the Twitter password.

It isn't terribly difficult to sign certificates yourself, but if you go that route, you might want to check out the BouncyCastle library for help.

Blythe answered 7/4, 2009 at 22:26 Comment(3)

Indeed, it does not work. However, it works with JCEKS as KeyStore. For a rough example, see kingsfleet.blogspot.de/2008/12/… – Puzzle 12/3, 2014 at 9:34

@hendrik Yes, JCEKS has always supported SecretKeyEntry, but this question is specifically about using the "Keychain" feature of Mac OS. – Blythe 12/3, 2014 at 15:29

No sweat, just wanted to add some additional info and at the same time raised the issue on and Java OSX port list - who knows, perhaps it gets implemented at some point. – Puzzle 13/3, 2014 at 9:5

You should take a look at twitters API page on OAuth support. By using OAuth, you don't need to know the user's twitter password.

http://apiwiki.twitter.com/OAuth-FAQ

Impetrate answered 8/4, 2009 at 5:27 Comment(3)

That's brilliant! I will have to look into it more, but it sounds like a much better solution than storing the passwords. – Clothesline 8/4, 2009 at 9:11

If it does, you'll get the best answer tick, obviously. – Clothesline 8/4, 2009 at 15:6

The recent openauth vulnerability & subsequent (temporary) disabling by Facebook and others may change how dependant on this mode of authentication you are. I would still suggest this as a preferred method of authentication, but you should think about how to authenticate (and store credentials) if openAuth is disabled again. – Impetrate 28/5, 2009 at 14:52

Recommended topics

Hot tags