1

When using hibernate, in order to setup the database configuration, we need to store the database username and password in the configuration file of hibernate. Is this safe to do? If somebody get's the database credentials by reading this file, then my database information is not safe.

What is the best practice for such a situation?

DesirePRG
  • 6,122
  • 15
  • 69
  • 114
  • 1
    You can omit database connection details there and provide these parameters in code. Or use a dependency injection framework like Spring where these parameters can be injected by reading a properties file, this file may be external to the app. – Luiggi Mendoza Mar 01 '15 at 16:52
  • if the credentials are stored in the configuration file, and if we deploy the app in a web server, can an end user read this file? – DesirePRG Mar 01 '15 at 16:59

2 Answers2

0

It's not a good idea, because everyone who has access to hibernate.cfg.xml file or pesistnce.xml file could read username, password and db hostname. But it's not the worst problem: the point is that you are binding the code to the DB. This is wrong, because you have to uncouple your code and the database. The customer must have the freedom to deploy your final application in whatever environment they want (e.g. development, test, integration, production) and each environment has got its own database. You can't edit the code every release you make.

You should declare in your hibernate.cfg.xml file and in your persistence.xml the jndi name of the datasource.

You can declare the datasource in your hibernate hibernate.cfg.xml file in the following way:

<hibernate-configuration>
    <session-factory>
        <!-- properties -->
        <property name="connection.datasource">jdbc/DatasourceName</property>
        <mapping class="MyEntity" />
    </session-factory>
</hibernate-configuration>

You can declare the datasource name in your persistence.xml file in the following way:

<?xml version="1.0" encoding="UTF-8"?>
<persistence version="2.1"
    xmlns="http://xmlns.jcp.org/xml/ns/persistence"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
    <persistence-unit name="MyPU">
        <jta-data-source>jdbc/DataSourceName</jta-data-source>
        <class>MyEntity</class>
    </persistence-unit>
</persistence>

Once you are done with declaring your datasource in your configurations file, you have to deploy the datasource in your Application Server. This procedure depends on which Application Server you are using (e.g. Glassfish, Tomcat etc.) and the DB you are using (e.g. MySQL, Postgres, etc.) For example, if your are using Glassfish and MySQL, you could follow this guide

Peter
  • 399
  • 2
  • 6
  • 23
-1

Even though you store the database connection properties in xml or properties file, end user can gain access and read the credentials.

But if yes, somebody has access to your deployment setup/war/server etc, only those can read it.

but it is always better to have credentials in properties file, and use them as a placeholder in xml file.

this might help you.

Community
  • 1
  • 1
Ankur Singhal
  • 26,012
  • 16
  • 82
  • 116