CODEWITHSUNDEEP
databasespringsecurityconnection
tyler 2durden
tyler 2durden

Reputation: 11

how to secure database connection string

I usually keep database connection information including username/password in .properties file or in .xml file.Is there a way to make this more secure? I mean on directory level someone can easily edit the file and connect to database.

thanks

I use spring framework spring security and jsf 2 tools.I am actually looking for a solution other than handling file level authorization.Users can be granted access on linux and windows.Adding some paranioa I even would like to hide it from authorized users. I don t want the authorized users to see username/password information in plain text.

thanks for replies

Upvotes: 1

Views: 1122

Answers (3)

Perefexexos
Perefexexos

Reputation: 252

Take a look here It look like that, from the link i gave here.

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

Upvotes: 0

Remus Rusanu
Remus Rusanu

Reputation: 294267

You can make the connection string unaccessible for unauthorized users. this is a simple issue of permissions and simply revoking all unnecessary permission on your config file is enough. However you cannot protect the connection string from authorized users, and that always include all members of the local Administrators group and the user that runs the application.

There are ways to encrypt the connections string too, as configuration do support encryption, see Encrypting and Decrypting Configuration Sections. But this is a means to protect against accidental media loss (your HDD turns out in a flea market). Cryptography does not add any real protection more that file level authorization because the application itself needs to decrypt the configuration. I'm emphasizing this because all too often questions like yours actually mean a DRM enforcing question, how to ensure the user using the application does not see or modify some part of the application.

someone can easily edit the file and connect to database

I hope you mean 'someone can easily cause the application to connect to a different database' and this should be easy for authorized users. If you're trying to hide what database you're connecting to you're really barking up the wrong tree because that is visible in a myriad other ways.

Upvotes: 1

Pawan
Pawan

Reputation: 1075

You can encrypt those files and then use them. Though it will increase the overhead of encryption/decryption.

Upvotes: 1

Related Questions