Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Keeping the password secure after securing the HttpInvokers

 
Dennis van Beek
Greenhorn
Posts: 6
Java Mac OS X Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We had some problems with hackers hacking our JBoss, so I had to secure our HttpInvokers in JBoss 4.2.3 (EJBInvokerServlet and JMXInvokerServlet).
I changed the jboss-configuration and after that I changed the calling code (to supply a username and password).

My question now is:
In all examples I see on the internet, about adding security to JBoss, the username and password are hardcoded in the code.
Our client-code (which also needs these credentials) is open for download, so a smart hacker is able to download the code, decompile the classes and see the password.
Is there a way to make this secure?
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The password need not necessarily be part of the code. It can be stored in a database for example or some other "store" or the user could even be prompted for it. In fact, having it in the code isn't typical for production applications.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic