Moving passwords out of war

Question

We have a web application that runs on tomcat that has hardcoded passwords inside some of the .java files. Our security folks are none too pleased and they asked we move the files externally.

My assumption was that the best way to do this was to put a properties file inside of the tomcat /conf directory perhaps? Or maybe setting up some sort of JDNI property in one of the config files?

Is there an generally acceptable way this should be done?

I see this post has some answers for non tomcat: What is the best way to keep passwords configurable, without having them too easily available to the casual human reader?

To get more specific we have application managed database connections and i wanted to grab the credentials. I'm assuming i need to some how put them into a JNDI resource and then query that resource for the username/ password?

possible duplicate of [Best practice for storing database password](http://stackoverflow.com/questions/10191317/best-practice-for-storing-database-password) — Neil McGuigan, Aug 19 '15 at 20:49
Possible duplicate https://stackoverflow.com/questions/13956651/externalizing-tomcat-webapp-config-from-war-file — Valerio Bozz, Mar 27 '20 at 16:20

score 2 · Answer 1 · answered Aug 19 '15 at 20:51

A fairly easy solution would be simply externalizing the credentials from your app by:

creating a JNDI entry in the appserver config
restricting the access to this file (only those who are doing the relase should have access to it)
have the application use the JNDI resource to get connections

This way developers (or anybody with access to sourcecode) will not know the passwords. If you want an even more secure approach, you also need encode the password instead of storing it as cleartext. This obviously requires extra effort, so you need to decide whether if it is worth doing or not.

It would be useful to attach at least a link to the documentation, or an example. — Valerio Bozz, Feb 21 '23 at 14:14

score 1 · Accepted Answer · answered Aug 19 '15 at 20:54

1

I suggest this cases:

If the credentials are from a database I suggest you can use a JNDI alias and the JNDI will be configure at the application server.
If the credentials are from another use you need to encrypt and setup then at a properties file: the server who resolves the credentials will need to have the algoritm.
In any another case the user will need to enter the credentials in real time.

answered Aug 19 '15 at 20:54

frss-soft.com

106
3

1

Could you perhaps post a sample alias and how i'd access from inside a bean? – Jeef Aug 19 '15 at 20:55
So, you need a properties file by example. At this file you will read a value and through a Main class you will load each property in a variable. At the Bean file you can set it with a setter method. [Example1](http://www.mkyong.com/java/java-properties-file-examples/), [Example2](http://crunchify.com/java-properties-file-how-to-read-config-properties-values-in-java/) – frss-soft.com Aug 19 '15 at 20:59

Moving passwords out of war

2 Answers2