I am quite new in programming Java web applications. Users need to re/upload PKCS #12 certificates (one certificate for all users and per one application instance) in my web Spring application. The certificate is used for signing SOAP messages that my application sends to the WS (I need to create keystore with this certificate). I created business layer of the application and now I need to add end user web functionality.
My questions are:
- File storage - where to place uploaded certificate? (to be honest I've never implemented file uploaded in Java web app - where are files placed in common? In database, disk or somewhere else?)
- Keystore - is it good idea to create new
keystoreevery time user upload new certificate file or should I update existing keystore? Where to place keystore to be accessible forKeyStoreFactoryBean? What is best practice for this scenario?
Thank you.
Note a
PKCS#12is a keystore too, but I suggest extract the keys and include them in a application key store instead of use the file directlyWith a main keystore you can control the location, access control and the configuration of the SOAP signature code.
Whereas store the pkcs12 file has disadvantages:
A PKCS#12 file will require to store the password to decrypt it.
Storing files directly on the disk is often problematic: permissions, names, access control, etc.
SOAP signature configuration will be complex with variable file names. For example in the known framework WSS4J the configuration is done with configuration files. It is not possible to configure a keystore path at runtime (May be this has changed...)
The uploaded files probably won't be on the classpath. Spring configuration to load resources is simpler using the classpath rather than an absolute directory path