Home -> Mailing Lists -> Oracle-L -> Re: connect with Java to Oracle without clear text password in code

Re: connect with Java to Oracle without clear text password in code

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Wed, 13 Apr 2011 11:02:29 +0100
Message-ID: <BANLkTimg3sm8CmOLmbZUFmqOFrWFgOzL-A_at_mail.gmail.com> 





Your installPath variable rather suggests that you are using the Jboss
application server to deploy this application :). Jboss (and all J2EE
application servers in fact) support a technology called JNDI (eg
http://docs.jboss.org/jbossweb/3.0.x/jndi-resources-howto.html). That would
in general be a better approach for your database connection management.
Depending on the application server the database password may still be
stored in plain text in a configuration file on the application server but
it won't be stored in the code and is the responsibility of the various
admins to maintain. It also of course means that you can develop against a
db that you know the password to and deploy in production without ever being
aware of the production password, it's change policy and so on. Your new
code would end up looking like





DataSource ds = (DataSource) envCtx.lookup("jdbc/myApp");



Connection cn = ds.getConnection();



createOutputOne();


createOutputTwo();


createOutputTree();


createOutputFour();



cn.close();





On Wed, Apr 13, 2011 at 9:11 AM, Sven Aluoor <aluoor_at_gmail.com> wrote:



> Hi folks

>

> Here an snipped of the code

>

> public class ScriptOutput {

>

>        private static String installPath = "//opt//jboss//tools//copy//";

>        private static String host = "mz007542.internal.hosts", port =

> "1521", sid = "ISSPDB",

>                        dbuser = "issdbuser", pw = "5s8yk5sbm3sj7";

>

>        private static Connection cn;

>

>        public static void main(String[] args) {

>

>                try {

>

>  Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();

>                        String url = "jdbc:oracle:thin:_at_" + host + ":" +

> port + ":" + sid;

>                        cn = DriverManager.getConnection(url, dbuser, pw);

>                } catch (SQLException e) {

>                        e.printStackTrace();

>                } catch (InstantiationException e) {

>                        e.printStackTrace();

>                } catch (IllegalAccessException e) {

>                        e.printStackTrace();

>                } catch (ClassNotFoundException e) {

>                        e.printStackTrace();

>                }

>                createOutputOne();

>                createOutputTwo();

>                createOutputTree();

>                createOutputFour();

>        }

>

> You see there is a clear text password for connecting to remote DB

> instance. I have no access to remote DB instance, only unprivileged

> user.

> How to not write clear text password in the Java code (without

> modifying remote Oracle server)?

>

> Any good ideas for better security? Please give detailed instructions

> because have almost no experience with Java.

>

> cheers Sven

> --

> http://www.freelists.org/webpage/oracle-l

>

>

>




-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l


Received on Wed Apr 13 2011 - 05:02:29 CDT












Original text of this message