2

Ok, so I have created a java swing application that uses the JDBC MySQL jar file to connect to a database that I have on a server. No real issues everything works great. I then got to thinking that there is a chance that someone could get into the program and look at the source code. No real big issue there except I have the database information (url, username, password etc.) and that would be just a wide open ticket for someone to just go in and get the database data.

My question is what is the general idea about this? How do you store a password in your source code knowing that someone can go in and get the information if they were really determined?

ageoff
  • 2,798
  • 2
  • 24
  • 39
  • 3
    Good news! Someone already asked about how to securely store passwords for Java apps, so you don't need to wait for an answer! See [How are secure database connections usually implemented in JAR files?](http://stackoverflow.com/questions/3660154/how-are-secure-database-connections-usually-implemented-in-jar-files) – David Sep 27 '13 at 16:15
  • You can encrpyt your credentials, it's safer rather than have it in plain text..You can use [jasypt](http://www.jasypt.org/) – nachokk Sep 27 '13 at 16:16
  • You don't, you put it somewhere safer. – chrylis -cautiouslyoptimistic- Sep 27 '13 at 16:18
  • 1
    I don't think it's duplicate of that, he is asking about datasource configuration! – nachokk Sep 27 '13 at 16:19
  • 1
    "if they are really determined", then nothing you do on the client will help you. You can encrypt it any way you want to, but as long as all that and the decryption logic is on the client you cannot keep a determined, knowledgeable person out. You should assume that such a person will know your database password. Can someone ignore your code entirely and simply snoop on the communication to the database server? OTOH, if you only want to stop Wrap your DB with a "service layer" and don't expose anything below that. You might get away with using stored procedures. – Darius X. Sep 27 '13 at 16:31

1 Answers1

3

  • One approach: You can store these security information in an encrypted file, then decrypt that file at runtime and open the database.

  • Another approach: Let the app connect to your own website and bring in the security information.

  • I like approach #1, that seems simple since it is only 1 password. Approach #2 doesn't seem to solve too much though, right? I would still need a password to connect to my server and that is just as bad. Also the database is hosted on the same server. – ageoff Sep 27 '13 at 16:23
  • +1 for two very applicable & secure solutions – recursion.ninja Sep 27 '13 at 16:26
  • Yes, you are right. #2 is not a real solution. However, you can mix the two approaches to get the maximum security. (i.e. have the encrypted file on the server with authorized access) –  Sep 27 '13 at 16:28
  • The best way to secure a client side connection to a database is to not distribute the database connection to the client; instead have the client access a server (perhaps via REST calls) that connects to the database. – DwB Sep 27 '13 at 16:29