/** Generate a local password and save it in the local-password file. */
public void postConstruct() {
logger.fine("Generating local password");
SecureRandom random = new SecureRandom();
byte[] pwd = new byte[PASSWORD_BYTES];
random.nextBytes(pwd);
password = toHex(pwd);
File localPasswordFile = new File(env.getConfigDirPath(), LOCAL_PASSWORD_FILE);
PrintWriter w = null;
try {
if (!localPasswordFile.exists()) {
localPasswordFile.createNewFile();
/*
* XXX - There's a security hole here.
* Between the time the file is created and the permissions
* are changed to prevent others from opening it, someone
* else could open it and wait for the data to be written.
* Java needs the ability to create a file that's readable
* only by the owner; coming in JDK 7.
*/
localPasswordFile.setWritable(false, false); // take from all
localPasswordFile.setWritable(true, true); // owner only
localPasswordFile.setReadable(false, false); // take from all
localPasswordFile.setReadable(true, true); // owner only
}
w = new PrintWriter(localPasswordFile);
w.println(password);
} catch (IOException ex) {
// ignore errors
logger.log(Level.FINE, "Exception writing local password file", ex);
} finally {
if (w != null) w.close();
}
}
