Is it safe to use passwords in java files?

Question

I've been looking at ftp and mysql connections (With passwords.) with java, and I'm wondering is this safe for distribution in software, I know that jar files can be opened and decompiled, is there anyway around using a plain text password, or is this not a problem.

It is of course not safe. Don't distribute them but distribute a sample file for the library user to fill with the correct values. — fge, Jul 05 '13 at 10:12
But if I want to have a central mysql server for all the clients to connect to, should I create a read-only mysql user or what... — user2353385, Jul 05 '13 at 10:13
Well yes, and you should always do that for that matter. Users reading data have no reason to have any write access ;) In this case, you may distribute the username/password. Same goes for FTP: a read-only user, not a read-write user — fge, Jul 05 '13 at 10:15

score 1 · Answer 1 · answered Jul 05 '13 at 10:18

You could create a PHP file for reading MySQL only. You could give the file a GET parameter and the PHP script would check that it is only a SELECT query. Then the PHP script would write the output from the SQL query to the file. And in Java you could get the content via URLConnection or something like that.

score 1 · Answer 2 · answered Jul 05 '13 at 15:53

I would create a service-based solution. Your java client can call the service to retrieve data.

That should give you the following benefits:

Your clients can be individually authenticated against the service.
The actual database implementation is hidden from the user and they don't need to even see the connection string.
The service defines approved functionality/queries. The user doesn't have direct access to the database to run arbitrary queries.

score 0 · Answer 3 · edited May 23 '17 at 12:05

0

You can encrypt your passwords to secure them.

Here you have an example of how to use encryption/decryption: Encrypt and decrypt a String in java

Other link: How to encrypt String in Java

edited May 23 '17 at 12:05

Community

1
1

answered Jul 05 '13 at 10:15

surfealokesea

4,971
4
28
38

2

And how do you decrypt it? ;) – fge Jul 05 '13 at 10:15

score 0 · Answer 4 · answered Jul 05 '13 at 16:30

0

If your software can authenticate to your FTP server, anyone who has the software can access your service. This is how software works.

The only way to prevent this is to not give the person software that can authenticate to your FTP.

answered Jul 05 '13 at 16:30

Harold R. Eason

563
2
9

Is it safe to use passwords in java files?

4 Answers4