Reputation: 6603
Secure Database Connection Details In Java App Servers
Our app runs on Tomcat. On startup, we read a properties file that is expected to be at a certain location on the server. Among other things the properties file contains the details for connecting to a database.
Each of our clients have their own instance of the app. It is either hosted by us or is run on a server in their facility.
One of our clients is worried about the password required to connect to the database being stored as plain text in this properties file. A lot of ideas are being discussed in the team about encrypting the password in the file using a shared key or public-private key etc. But none seem like a good solution to me. The fact that a key would have to be hardcoded in the source code seems like a bad idea.
I feel it would be better to prompt the client somehow for a password anytime they start tomcat and let them manually specify the password.
Have you dealt with a similar situation? What solutions have you used.
Thanks.
Upvotes: 1
Views: 66
Answers (1)
Reputation: 66
You may want to review: http://wiki.apache.org/tomcat/FAQ/Password
That said, any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows).
Hope this helps!
Upvotes: 5
Related Questions
- How would I go about connecting to a database securely via Java?
- Deployment web-application on application server. Database access credentials
- Secure JDBC connection
- Java Security Database connection
- how to secure database connection string
- Secure way to connect database in website using java servalet JSP or JSTl
- Securing database information inside Java application
- How to establish secure connection between java application and database?
- Connect to a secure database using JDBC
- Securely connecting to database within a application