• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Which way is better for holding database connection parameters?

 
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I'm using JSF framework. I can let Netbeans to create the persistence unit and hardcodes connection parameters into the persistence.xml file or i can use resource tag in context.xml file or using another file like property file or class for holding connection parameters like username and password; what is the most secure way or expert way to use connection properties in my app or there is no difference?

Appreciate in advance.
 
Bartender
Posts: 3225
34
IntelliJ IDE Oracle Spring Chrome Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We generally keep it in a config properties file and read that properties file on runtime and construct the connection objects. Putting it in a class means that you would have to build the code each time you change it, but having it in a properties file you can always edit the file and restart your app.

None of the ways mentioned are secure as it is not secure to keep your password in plain text. If you are sure that the password in plain text cannot be accessed by unauthorized people and the exception messages dont contain the connection details then you might want to keep then in the properties file. Other approach would be to make use of a key server where the password would be stored against a key and the key would be stored in the properties file.
 
Arash Babak
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, Mohamed.
I'm new in jsf and java web programming.
You mentioned the exception messages that contain the connection details. Can the application put them in the exception messages by itself. If so, how can i prevent it?
I'll keep it in the properties file, but where should i put the keys so that the application can use it for connecting to the DB ? In the persistence.xml file or in the context.xml? Can you give me an example of that?
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't do any of the above.

I use connection pools, which are defined external to the web application. Thus, sensitive connection information isn't stored within the web application itself. This also allows me to use the same WAR for both test and production machines, since I don't have to rebuild it with test/production database connection parameters.

Plus, with a connection pool, all connections are shared and tuneable for all participants in the pool. For an ORM system such as Hibernate/JPA that's not as big a consideration as it is for free-form JDBC-based apps, but it's still something else you can control without making code changes.
 
Arash Babak
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you Tim,
My app is a simple app with just two admin user who want to control their workshop. But can you give me some references to which i can learn about making connection pools and using them for the connection details in tomEE?
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Pooled connections are part of the J2EE standard and documentation can be found in any good book on J2EE. The exact configuration details depend on what server you are using.

TomEE is supposed to be an EJB container. So if it's properly compliant, the EJBs would have to have those mechanisms as part of the EJB implementation itself, not that basic Tomcat didn't support them anyway.
 
Arash Babak
Ranch Hand
Posts: 41
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, Tim.
reply
    Bookmark Topic Watch Topic
  • New Topic