Where do you store your db password and get it in your J2EE app?

Question

How do you make sure it is secure when there are some devs who can access the machine?

Andrew T Finnell · Accepted Answer

Baring the whole discussion about not storing passwords in files you use the machine's own ACL to prevent them from accessing it.

Make the file readable only by the admin account, or some other account used to run your software. Then you dont give the developers the admin account/process account information.

The bigger question is, if you are concerned about them accessing the file on your machine, why do they have access to said machine? Any developer that is able to replace the code on the server without checks will be able to access your database.

Lets give a nice real world example of why you would want to do something like this.

You hire developers to create a Bank of Stackoverflow website. For whatever reason you store all your clients account information, including SSN, in a single database that needs to be accessed by the Bank of Stackoverflow website.

Do not give developers permission to put code directly onto a live machine
Do not give developers the access information to the database.

All code has to go onto a stage machine to be verified. For the most part it is easy enough to allow developers to use stage databases consisting of fake client information.

It is the responsibility of vetted engineers, to move products from the staged machine to the production machine.

Where do you store your db password and get it in your J2EE app?

Answers (2)

Related Questions