Reputation: 113
Keeping secret information secret
So, I'm writing a password verification thingy, loading username and passwords from a database, but I can't figure out how to keep the database username and password out of the code.
String user = "username";//database username, not username to verify
String password = "password";//my password, not users password to check
String url = "jdbc:mysql://databaseurl:3306/table";
//i want this hidden somehow
I could load it from a file, but then people could just read the file.
Obviously I don't want people gaining access to the database and reading secret information. How should I go about doing this?
EDIT: What I'm asking, is, how can I secure MY database credentials. Other people should not have access to the database
You could, for instance, decompile the jar and read the above lines, and access my database using my credentials. (using a program such as jd-gui)
Upvotes: 2
Views: 203
Answers (4)
Reputation: 5022
Secure your authentication and authorization services using a PKI exchange with a properly signed certificate (so it can be revoked if something does go wrong, and it certainly may).
One example is ws-security (a SOAP extension), but if you need to use REST you're stuck with transport-level security (securing your connection with HTTPS).
You might want to read up at http://security.stackexchange.com for more insightful commentary, rather than "store it in a property file."
Upvotes: 0
Reputation: 9914
You can keep database details in a
property file/database
. It is a kind of one layer of abstraction. And in that property file/database, you give some different keys so that at the time of accessing database, take the keys/columns from property file/database and construct url information.
Upvotes: 0
Reputation: 7531
Use password encryption. If you application runs inside J2EE container, use standart tools
Look at sample for Jboss container
Upvotes: 2
Reputation: 9115
If you're going to give the user direct access to the database, why not just make the username/password you're passing to the database the user's actual username/database?
Typically in secure systems the database is not directly exposed to the user. The user passes a query to some system which then performs authentication and then if passes passes the query to the database.
In other words, if you're relying on the obscuring of the database login credentials as the obstruction to accessing the database, you're relying on the client to authenticate itself with respect to actually querying the database, which is a bad, bad idea. As soon as your database's login credentials are compromised, your whole security scheme has now failed.
Upvotes: 0
Related Questions
- Can a secret be hidden in a 'safe' java class offering access credentials?
- How can I hide my database information in Java?
- Storage of sensitive data
- Storing/Reading sensitive data from Java program
- Storing sensitive infomation
- Protecting Java data (saving items to a secure file)?
- Securing Password on Java Program
- Java Safely Store Personal Data in Distributed Application
- private variables in java?
- Java - store sensitive data