CODEWITHSUNDEEP
javadatabasesecurityencryption
Anmol Mago
Anmol Mago

Reputation: 23

How would I go about connecting to a database securely via Java?

I wish to connect to a Mysql Database with Java without revealing the password to anyone that may decompile my code? I can efficiently connect to a database, but my ways will openly show my password in the code :( and wish only a response on how to hide the password. Thanks is advance

Upvotes: 0

Views: 133

Answers (2)

Konstantin Pribluda
Konstantin Pribluda

Reputation: 12367

OAuth allows client connection without storing credentials on client ( used widely on mobile devices or to identify tweitte applications ). It also allows to remove access permissions from rogue clients. But I doubt that mysql suzpports this directly,. so you will have to wrap your database with some kind of service layer. One of usable imaplementations of OAuth:

http://code.google.com/p/oauth-signpost/

(IIRC, used by Qipe )

Upvotes: 1

npinti
npinti

Reputation: 52185

Assuming that the database which will be accessed will be on your machines, two things that come to mind:

  • Set up a small secure REST service (as shown here) which will, upon a certain request with certain credentials, pass the password to your database. This however might be an issue if your application is sitting behind some corporate firewall since you might need to add firewall exceptions, which is something that not all administrators are enthusiastic about.

  • You could use a mix of Cryptography and Obfuscation to encrypt the password to the database and then obfuscate all your code.

As a note though, either of these methods can, in time be broken. This is basically the rule about all security related software.

If it where up to me, I would go about this problem using the first approach and make sure that the credentials through which the service is accessed are changed often.

However, databases which are used as part of a client solution contain pretty sensitive data which is in the client's interest not to tamper with, so the client will most likely not mess around with it, he/she will be happy as long as the system works.

If on the other hand, the database is not deployed onto one of your machines then you can't really do much about it. You could recommend that the server will be stored on a remote machine with access only over the intranet, but other than that, I do not think you can do much about it.

Upvotes: 0

Related Questions