Hashed Database Password [Hibernate]

Question

Due to security requirements I need to store the Database password as a md5-hash in my hibernate.cfg.xml, but as far as I know Hibernate does not support hashed passwords. I am using hibernate 5.1.0.

My hibernate.cfg.xml looks like this:

    <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE hibernate-configuration PUBLIC
"-//Hibernate/Hibernate Configuration DTD//EN"
"http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
    <property name="hibernate.connection.driver_class">org.h2.Driver </property>
    <property name="hibernate.connection.url">jdbc:h2:tcp://localhost/~/test</property>
    <property name="hibernate.connection.username">sa</property>
    <property name="hibernate.connection.password"></property>
      <property name="show_sql">true</property>
  <property name="hibernate.c3p0.min_size">5</property>
  <property name="hibernate.c3p0.max_size">20</property>
  <property name="hibernate.c3p0.timeout">300</property>
  <property name="hibernate.c3p0.max_statements">50</property>
    <property name="dialect">org.hibernate.dialect.MySQLDialect</property>
    <property name="hibernate.hbm2ddl.auto">update</property>

</session-factory>
</hibernate-configuration>

This is how I create a sessionFactory:

import org.hibernate.SessionFactory;
import org.hibernate.cfg.Configuration;

public class HibernateUtility {
    private static final SessionFactory sessionFactory = buildSessionFactory();

    private static SessionFactory buildSessionFactory() {
        try {
            // Create the SessionFactory from hibernate.cfg.xml
            return new Configuration()
                    .configure()
                    .buildSessionFactory().;
        } catch (Throwable ex) {
            System.err.println("Initial SessionFactory creation failed." + ex);
            throw new ExceptionInInitializerError(ex);
        }
    }

    public static SessionFactory getSessionFactory() {
        return sessionFactory;
    }
}

Is there a way to use a hashed Database password for hibernate?

Answer 1

The password supplied within hibernate.connection.password is used by hibernate to connect to database and hence it needs actual password instead of Hashed password.

You store hashed passwords only when you need to verify the identity of the user because once any text has been hashed, it's irreversible.

It's a one way process: You can get hashed text from your password but you cannot get password back from generated hashed text.

If you store hashed password in hibernate.connection.password then your hibernate won't be able connect to database because there's no way to get password from MD5 hash. So it's not possible.

see also: Fundamental difference between Hashing and Encryption algorithms

However, you can encrypt password in hibernate.cfg.xml see this question.

Answer 2

You would be better externalising the password i.e. removing it completely from the hibernate.cfg.xml. You can then pass it in via a system property e.g. add the following to your server's startup command -Dhibernate.connection.password=password.

AN even better approach is to define a JNDI datasource in your app server and then have hibernate obtain a reference to this. All DB credentials are then removed from the app config and you can then deploy your app to different environments without changing the configuration (assuming the JNDI datasource name remains consistent).

See:

https://docs.jboss.org/hibernate/orm/3.3/reference/en/html/session-configuration.html