Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Secure DataSource configuration in Spring

 
John McParland
Ranch Hand
Posts: 92
Eclipse IDE Java Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am writing a web application using Java/Spring and MySQL.

At the moment I have a datasource configured as follows;



But the "password" property concerns me. It seems wrong to pass the data source the password explicitly.

I have taken some measures to improve the security of my app including;

  • chaning the root password
  • giving my application a userid/password for it alone
  • ensuring my apps user id can only access the database it needs (and only do what it needs)


  • But I'm not sure how to configure the data source in a more secure manner. I'd imagine anything which requires a password property at all is off the table.

    How do others securely configure their data sources?

    Thanks,

    John
     
    Bill Gorder
    Bartender
    Posts: 1682
    7
    Android IntelliJ IDE Linux Mac OS X Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Typically in enterprise applications I have worked on we as application developers use jndi to get the database connection, and all the details such as username password are configured by a different group responsible for maintaining that information and setting it up in the J2EE server.

    Alternatively you could encrypt the properties file using Jasypt. Of course doing this alone is not enough you would also want to store your encryption passoword in the environment to be used by the application during startup and then you would remove it from the envionment afterwards. There is a nice example of this approach in Spring in Action 3rd edition. I would recommend picking this book up as it is a good read anyway otherwise I am sure google could provide some good examples as well.

    Thanks,
     
    John McParland
    Ranch Hand
    Posts: 92
    Eclipse IDE Java Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thanks Bill. The idea of using JNDI and the username/password being configured separately on the server sounds about right. I like how it means the code can be entirely separated from the authentication.

    I've got the Spring In Action book but haven't come across that example yet. I'll give it a go.

    Thanks
     
    Manish Sridharan
    Ranch Hand
    Posts: 65
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Quite agree JNDI would be a better way to go for it. Perhaps you can have a look on this link :Configure JNDI with Spring

    Thanks,
     
    John McParland
    Ranch Hand
    Posts: 92
    Eclipse IDE Java Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Manish Sridharan wrote:Quite agree JNDI would be a better way to go for it. Perhaps you can have a look on this link :Configure JNDI with Spring

    Thanks,


    Thanks - I'll certainly use it!
     
    John McParland
    Ranch Hand
    Posts: 92
    Eclipse IDE Java Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi again.

    I tried the example based on Tomcat JNDI Datasource Examples - HOWTO for MySQL and also section 5.2.1 of Spring In Action (2nd Edition) but I haven't had any luck.

    Here's what I've got now.

    In XAMPP (the web server I'm using for testing just now); I've got a Context.xml file in this location C:\xampp\tomcat\conf\Catalina\localhost
    It looks as follows;



    Then in my Spring Beans property file I have



    And finally some noddy Java code



    Unfortunately when I run this I get an exception;



    I'm not sure exactly where it's gone wrong. Any ideas anyone?

    Thanks,

    John
     
    Manish Sridharan
    Ranch Hand
    Posts: 65
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Just had a glance on the stack trace. it seems either jndi is not initialized properly or it has not retrieved properly in the application. You can try following things to check that.

    1. Try changing to
    I think forward slash might not be required.

    2. Create simple main class and try to get datasource object directly from jndi. Try with runtime debugging, it will give lot more information on the jndi.

    Another important thing, please initialize log4j properties file and set it to debug level for spring classes. this will give you more logging information where in spring it has failed.
    I generally attached the spring source code while debugging to see where the application is failing.


    Thanks
     
    John McParland
    Ranch Hand
    Posts: 92
    Eclipse IDE Java Spring
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Manish Sridharan wrote:Just had a glance on the stack trace. it seems either jndi is not initialized properly or it has not retrieved properly in the application. You can try following things to check that.

    1. Try changing to
    I think forward slash might not be required.

    2. Create simple main class and try to get datasource object directly from jndi. Try with runtime debugging, it will give lot more information on the jndi.

    Another important thing, please initialize log4j properties file and set it to debug level for spring classes. this will give you more logging information where in spring it has failed.
    I generally attached the spring source code while debugging to see where the application is failing.


    Thanks


    Thanks Manish. I tried suggestion one and put trace logging on for all. I'm not sure exactly where I could put a breakpoint on since it fails early on.

     
    Manish Sridharan
    Ranch Hand
    Posts: 65
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator


    From this log it seems, jndi object itself is not created. You should check if your context.xml is getting loaded in your application or not. As far as I can see from the log, it is not getting loaded.

    Thanks
     
    Dariusz Majewski
    Greenhorn
    Posts: 1
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi John,

    You've just created a simple java application with spring context that doesn't know anything about tomcat.

    After you've defined db resource in tomcat, to be able to use it, you have to create a web application and deploy it in tomcat.

    In your web.xml you you'll have to add something like this:



    and to quickly test if it works you can create a simple servlet which will use WebApplicationContextUtils to retrieve spring context and your bean.

    hope this helps.


    Dariusz
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic