• Post Reply Bookmark Topic Watch Topic
  • New Topic

How to avoid hardcoded password in JDBC  RSS feed

 
Milhouse Cernilovsky
Greenhorn
Posts: 4
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I am new to this forum ... I had serious problems when registering, because I didn't get the emails to my Czech addresses, so I had to create an account at Gmail.com, which already worked fine.
I will be very thankful for any help and I hope one day I will even be able to give some valid answers to new "Java greenhorns" I appreciate that you answer our dummy questions in your free time.

My question is included in the subject. How can I avoid hardcoding login and password when I want to connect to a database using JDBC? I was Googling this question and usually people suggested a "property file". I know how to use it, but is it really safe? How can I make the content of such file safe? In the Java Tutorial, the password is simply hardcoded and there is no warning, that it can be very dangerous!

I solved this problem by creating another layer of the application written in PHP, where it is already safe to hardcode the password and where I always have to check if a particular user (now I am not speaking about a database user, but about my application's user) can perform such a query, but that is very uneffective I think ...

Thank you!
 
Jesper de Jong
Java Cowboy
Sheriff
Posts: 16060
88
Android IntelliJ IDE Java Scala Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch!

Properties files are simple text files with key-value pairs in them, separated by = signs. You can load thease easily with the class java.util.Properties.

Storing the username, password, JDBC URL etc. in a properties file does not make it automatically secure. It does make it easier to change the password if you change it in the database (you won't need to recompile your source code, if it's not hard-coded into the source code).

You mentioned PHP, so you're most likely writing a web application. You can put the properties file in a place that is not accessible via the web browser directly, which would make it a bit safer.
 
Campbell Ritchie
Marshal
Posts: 56600
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can use the PASSWORD() function available in most database programs to store a hash for the password.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Campbell Ritchie wrote:You can use the PASSWORD() function available in most database programs to store a hash for the password.

I think we're talking about the username/password to the database itself.

Property files aren't (normally) exposed to users of the application (for web apps). Another option is to configure a JNDI datasource in the container itself. That *somewhat* reduces the risk of a plain property file, but if they're already inside your machine looking for property files, it's too late anyway.
 
Sudipta Laha
Ranch Hand
Posts: 49
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another Option that i can think is to create a class to store username and password(can use logic to encrypt) and serialize that.
When required use code to get it from the serialized object.
 
Rob Spoor
Sheriff
Posts: 21135
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Strings can usually be read quite easily in serialized form. It's a form of encryption but not a strong one.

As hinted to before, in web containers like Tomcat, anything in the WEB-INF folder is inaccessible through direct access. Only through servlet / JSP code can it be accessed.
 
Campbell Ritchie
Marshal
Posts: 56600
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Newton wrote: . . .
I think we're talking about the username/password to the database itself.
. . .
I can't remember exactly, but I think you have to enter a user name and password in that format into the database, then use that password to access the database.

Surely you would make users enter their password as they log on, so the user would have to remember the password.
 
David Newton
Author
Rancher
Posts: 12617
IntelliJ IDE Ruby
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
 
Rob Spoor
Sheriff
Posts: 21135
87
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Except that you will need the password for system queries. I doubt you want to give each user a separate database password with which they can actually log into your database system and mess up all your business rules. I'd prefer a separate login process with one system account to handle all the database interaction. Of course this interaction should be properly shielded by the application.

I am now using a system which uses one admin database with the JDBC properties inside an XML inside Tomcat's conf folder. All other JDBC properties are retrieved from that database. Unfortunately the passwords are stored in plain text in the database, but proper security on that one database should prevent most security issues.
 
Campbell Ritchie
Marshal
Posts: 56600
172
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Prime wrote:Except that you will need the password for system queries. . . .
I hadn't realised that bit. I am obviously getting confused with the password you enter when you log on to a database via its command line. Sorry.
 
Milhouse Cernilovsky
Greenhorn
Posts: 4
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for your answers ... If the application was a web application, I would put the file with the password to a secure directory. But my application is simple desktop application, which is run by opening .jar file. Is there any way how to make the application connect to the database without exposing my password (and I don't want users to enter the database password)? Or is it generally bad idea to make such an application (= non-web) which connects to a database through JDBC?

This application was for my school project where we should have made an application which connects to a database so it is not so important since the only criteria was functionality, not security ... I am just curious, if there is any better way how to solve this problem. I think it was a silly idea to make such an app, but in the beginning I hadn't realized it before I found an article called "Top 25 Most Dangerous Programming Mistakes" where "Hardcoded password" was number 21 Because I am a real Java greenhorn
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!