Reputation: 8727
How to securely store database credentials in a Spring MVC web application?
I have a Spring MVC web application which needs to connect to a database, and the data source credentials are currently (in development) being kept in the application context configuration file, i.e. in WEB-INF\spring\application_context.xml like so:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="username" value="my_username" />
<property name="password" value="my_password" />
<property name="url" value="my_datasource_url" />
<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />
</bean>
Before I deploy this application to a public facing Tomcat server I want to make sure that I'm not making these database credentials visible to the world or easily discovered by a crafty hacker. Am I OK keeping things as they are, i.e. in plain text and in an XML file under WEB-INF? If not then is there a best practice for this sort of thing?
Thanks in advance for your help.
Upvotes: 3
Views: 2857
Answers (3)
Reputation: 4960
Another thing to consider would be to have a JNDI lookup. JNDI would be contained within the servlet container (tomcat in your case) allowing connections to the database only through webapps currently deployed from Tomcat.
This way also creates a silo'd experience between build management and development so development doesn't have the keys to the car, if you get my metaphor.
Upvotes: 2
Reputation: 340708
Files stored in WEB-INF folder are by definition inaccessible from the outside world. E.g. if you put JSP file there no user can access that file directly - it can be referenced for example by importing or including from another JSP.
That being said your credentials are safe, but it is not a good practice to hard code them in the applicationContext.xml. Are you pushing these credentials to your source control?
The safest way is to extract sensitive and frequently changing configuration in an external .properties file somewhere on your hard disk. Spring is perfectly capable of reading .properties files.
Upvotes: 5
Reputation: 3497
You could make it ask the password on startup. But usually what i see is passwords in xml files which are chmodded and chowned to be only accessible by the web software itself. There are no easy good solutions.
One basic step is to make sure that the tomcat-user has only the access it needs on the database , so if it is compromised, the damage is limited.
Upvotes: 1
Related Questions
- What is the best way to store some data for anonymous user when using spring mvc with security?
- How to secure database credentials in spring mvc service layer
- Proper way of hiding very sensitive credentials in a web application
- Keep DB passwords out of spring-servlet.xml file
- Best place to keep secure information in java spring web application
- Storing Form Login Sessions in a Database
- Where should I keep the credentials of my database?
- How to keep db password in application server secure?
- What is the recommended way to store user credentials in spring MVC?
- How can I point Spring MVC to our database for security?