• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Hide Password in Hiberbate Configuration file

 
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

How to encrypt password in hibernate.cfg.xml? Our operations engineer doesn't allow plain-text password in production system.

Thanks
 
Ranch Hand
Posts: 93
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I reckon you can try jasypt library.
 
Author
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The password in a hibernate config file is expected to be plain text. You *could* encrypt/decrypt the password and do that part of the config manually, or just use a JNDI datasource and keep the password info in the app server itself. But I'm guessing your operations engineer doesn't really understand that there's no way to actually *get* the plaintext password from a client (assuming the config file lives in a reasonable place) unless they already have access to the machine, in which case it's too late anyway.
 
Ranch Hand
Posts: 57
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You might configure hibernate programmatically instead of use .xml configuration. Thus your password go in bytecodes. It ain't the most secure approach but give you a better security. It gives you also more flexibility like the possibility to call security methods...
You might blend up xml configuration and java code configuration too.

best regards.
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
+1.

Every time I hear this (or a simmilar) requirement (and it comes up fairly regularaly), I assume said engineer doesn't have confidence in their own ability to secure a production system, or are working in aan unthinking way from some sort of crib sheet. Plain text passwords are usually fine on properly secured machines; if someone has admin access to the machine its only a mater of time until they manage to do something bad, and they can easily do bad without knowing the password to your database. I wouldn't worry about it, unless you have a malicious admin, but there not much anyone can do if you've got one of them. You could programatically configure Hibernate if you absolutely don't want a password stored anywhere (and prompt for the password when you application stars) but "production system" sounds like a server, so I'd just go with securing the box itself and not worrying about passwords in config files.

 
No more fooling around. Read this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic