• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Devaka Cooray
  • Knute Snortum
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Frits Walraven
  • Ganesh Patekar
  • Tim Holloway
  • salvin francis

Keeping the password secure after securing the HttpInvokers  RSS feed

Posts: 8
Java Mac OS X Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We had some problems with hackers hacking our JBoss, so I had to secure our HttpInvokers in JBoss 4.2.3 (EJBInvokerServlet and JMXInvokerServlet).
I changed the jboss-configuration and after that I changed the calling code (to supply a username and password).

My question now is:
In all examples I see on the internet, about adding security to JBoss, the username and password are hardcoded in the code.
Our client-code (which also needs these credentials) is open for download, so a smart hacker is able to download the code, decompile the classes and see the password.
Is there a way to make this secure?
Posts: 10445
IntelliJ IDE Ubuntu
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The password need not necessarily be part of the code. It can be stored in a database for example or some other "store" or the user could even be prompted for it. In fact, having it in the code isn't typical for production applications.
Nothing? Or something? Like this tiny ad:
ScroogeXHTML - small and flexible RTF to HTML converter library
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!