• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Retrieving Database Username and Password

 
Corey McGlone
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I'm working on an application (being developed on WebSphere application server) and this Java application needs to communicate with another application written in a different language. This other application needs access to the database we're using.

In this case, we have created an application user account that we use to log in to the database. One of our security requirements is that the password on this account be changed every few months. As such, we want it to be stored in a single place and that place should be accessible so that we can modify it down the road. We decided to keep the username and password in the datasource configuration within WAS.

Well, in keeping with our concept of keeping the username/password in one place, we need to actually pass that data to the other application so that it can access the database. Unfortunately, I'm not sure how, within my web application, to pull that information out of the server registry. If I could get it out, passing it to the other application is really no problem, at all.

Anyone know how to get that information out of the server registry? I was looking into using the DatabaseMetaData class and, as appealing as the getAttributes method is, it's only available in version 1.4+ and we're developing on 1.3. I also tried the getURL() method, but no luck there.

Any ideas?

Thanks.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34860
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Corey,
That problem looks like a doozy. The easiest way is a property file, but I admire your effort to get the password in one place. Have you checked the WebSphere specific APIs? I doubt that they would have such a security breach possible through code, but you never know. (I wouldn't want a rogue app to be able to get the password of any datasource on the server.)

Another approach is to see if it is possible to get the password through wsadmin (jacl). It may be, since you can set it that way. And most wsadmin objects allow you to get all their attributes.

Just out of curiousity, does DatabaseMetaData do what you want? It gives the schema information and the like, but I don't see the password.
 
Corey McGlone
Ranch Hand
Posts: 3271
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That problem looks like a doozy. The easiest way is a property file...


I wanted to use a property file, as well. Heck, I'd even put it in the web.xml file as a servlet init parameter, but I was told it would be "more secure" to put it into the datasource configuration.

Honestly, is there anything unsecure about putting the username and password into a .properties file or the web.xml file, either of which would be stored within the WEB-INF directory, which should be secure? I don't know what the problem is with that.

Just out of curiousity, does DatabaseMetaData do what you want? It gives the schema information and the like, but I don't see the password.


DatabaseMetaData gets me some of what I need. In addition to the username and password, I need to be able to send the database name to the other application (as we have multiple databases in multiple environmenets - Dev, Test, and Production). I can get the database name from the getURL() method and I can get the username from the getUsername() method. Unfortunately, I have no way to get the password. That seems to be my hangup.

My favorite solution would be simply to move the database username and password to a properties file or the deployment descriptor. I'm just not sure who I have to sleep with in order to get that done. :roll:
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why not write an encrypted password there in the property file. After getting it, decrypt it in your code.

[edited]
Better decrypt it after getting it transfered to the other app.

How it sounds?
[ April 16, 2005: Message edited by: Adeel Ansari ]
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34860
369
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Corey McGlone:
Honestly, is there anything unsecure about putting the username and password into a .properties file or the web.xml file, either of which would be stored within the WEB-INF directory, which should be secure? I don't know what the problem is with that.


Corey,
There isn't anything inherently insecure about using an (encrypted) property file. You lose the advantages of J2C for security, but it's a tradeoff between that and having the password in one place. I'm not sure how WAS 6 handles passwords in property files vs datasources. You may want to check so the solution you pick is somewhat forward compatible.

Of the two choices, a favor a property file over the web.xml. It's somewhat more independent of your app.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic