Store PrivateKey in ServletContext
-
25-10-2019 - |
Question
I would like your opinion. I am developing a Servlet
that has to sign the requests that it sends to an endpoint.
In order to avoid read from file the server's keystore, load it and get the private key, I am doing all of that in a listener that implements ServletContextListener
. In this way this is done only when the servlet is initialised (deployed).
Once I get the private key I am storing it in the application's ServletContext
. Do you think that is a good design decision?
Thanks in advance.
Solution
Whatever solution you choose, you'll have the private key in memory at some time. So any cracker having access to the memory could find a way to get this private key. Loading it once and storing it in memory at startup looks like a good solution to me. Just make sure that the server is not easily accessible to malicious persons.