Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Hide Password in Hiberbate Configuration file

 
naniigadu pokiri
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

How to encrypt password in hibernate.cfg.xml? Our operations engineer doesn't allow plain-text password in production system.

Thanks
 
Nevin kumar
Ranch Hand
Posts: 93
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I reckon you can try jasypt library.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The password in a hibernate config file is expected to be plain text. You *could* encrypt/decrypt the password and do that part of the config manually, or just use a JNDI datasource and keep the password info in the app server itself. But I'm guessing your operations engineer doesn't really understand that there's no way to actually *get* the plaintext password from a client (assuming the config file lives in a reasonable place) unless they already have access to the machine, in which case it's too late anyway.
 
Victor Dolirio
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You might configure hibernate programmatically instead of use .xml configuration. Thus your password go in bytecodes. It ain't the most secure approach but give you a better security. It gives you also more flexibility like the possibility to call security methods...
You might blend up xml configuration and java code configuration too.

best regards.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
+1.

Every time I hear this (or a simmilar) requirement (and it comes up fairly regularaly), I assume said engineer doesn't have confidence in their own ability to secure a production system, or are working in aan unthinking way from some sort of crib sheet. Plain text passwords are usually fine on properly secured machines; if someone has admin access to the machine its only a mater of time until they manage to do something bad, and they can easily do bad without knowing the password to your database. I wouldn't worry about it, unless you have a malicious admin, but there not much anyone can do if you've got one of them. You could programatically configure Hibernate if you absolutely don't want a password stored anywhere (and prompt for the password when you application stars) but "production system" sounds like a server, so I'd just go with securing the box itself and not worrying about passwords in config files.

 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic