/** Generate a local password and save it in the local-password file. */ public void postConstruct() { logger.fine("Generating local password"); SecureRandom random = new SecureRandom(); byte[] pwd = new byte[PASSWORD_BYTES]; random.nextBytes(pwd); password = toHex(pwd); File localPasswordFile = new File(env.getConfigDirPath(), LOCAL_PASSWORD_FILE); PrintWriter w = null; try { if (!localPasswordFile.exists()) { localPasswordFile.createNewFile(); /* * XXX - There's a security hole here. * Between the time the file is created and the permissions * are changed to prevent others from opening it, someone * else could open it and wait for the data to be written. * Java needs the ability to create a file that's readable * only by the owner; coming in JDK 7. */ localPasswordFile.setWritable(false, false); // take from all localPasswordFile.setWritable(true, true); // owner only localPasswordFile.setReadable(false, false); // take from all localPasswordFile.setReadable(true, true); // owner only } w = new PrintWriter(localPasswordFile); w.println(password); } catch (IOException ex) { // ignore errors logger.log(Level.FINE, "Exception writing local password file", ex); } finally { if (w != null) w.close(); } }