2

Appscan Tool is reporting issues while using the following code segment in my application:

con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","system","oracle");

The issue is of type Authentication.Credentials.Unprotected.

Can someone suggest me the way to resolve these type of issues.

SatyaTNV
  • 4,137
  • 3
  • 15
  • 31
user3048261
  • 21
  • 2

1 Answers1

1

Appscan is reporting the problem that your credentials are in plain text.
You should hide the credentials. One way is to read the credentials from a property file like this:

Properties props = new Properties();
props.load(new FileInputStream("credentials.txt"));
con = DriverManager.getConnection(props.getProperty("connectionUrl"),
                                  props.getProperty("user"),
                                  props.getProperty("password"));

The credentials.txt looks like that:

connectionUrl=jdbc:oracle:thin:@localhost:1521:xe
user=system
password=oracle

If that are your real credentials, then you should change them now.
If you want to be more secure, then you should also encrypt the credentials in the file and decrypt them before accessing the database.

I hope it helps. Have a nice day.

Leonid Glanz
  • 1,261
  • 2
  • 16
  • 36
  • Thank You for your response. As you said the credentials were already been placed in a property file and from where the application is pulling the values. Even then the AppScan tool reports the error. Can you suggest me a code snippet that explains on how to encrypt in file and decrypt them before accessing the DB? – user3048261 Jan 07 '16 at 07:32
  • You could find an example for credential encryption here: http://stackoverflow.com/q/339004/2162470 you should choose which encryption is the best for your needs. – Leonid Glanz Jan 07 '16 at 07:54
  • Thank You for the quick response. I have gone through the link that you have mentioned. I still have trouble in understanding the contents there. They are using some high level terminology like WebServices etc regarding which I don't have any knowledge as i am a beginner to IT industry. Can you please make simple to be able to understand even by a beginner? Thanks in advance for your support. – user3048261 Jan 07 '16 at 09:11
  • I have found a better tutorial for you: http://www.wikijava.org/wiki/Secret_Key_Cryptography_Tutorial – Leonid Glanz Jan 07 '16 at 09:34
  • Many Thanks for the help..!! I saw the tutorial and seems to be useful for my requirement. I created a Simple Project and ran this code, and worked fine. The final question I have is where exactly I have to Encrypt and where I need to Decrypt. My application has code like the following way. private Connection getConnection(DBFactory.DriverType jdbcDriverType, Properties dbProps) { //getting URL, UserName, Password from properties file Connection conn = java.sql.DriverManager.getConnection(url, props); } Please help me..!! – user3048261 Jan 07 '16 at 10:41
  • The connection string, user and password should be encrypted and saved in the properties file and before you give the credentials to your DriverManager you should decrypt them. – Leonid Glanz Jan 07 '16 at 11:42
  • The properties file already has these details. How can I store the Encrypted values to the properties file? – user3048261 Jan 07 '16 at 12:21
  • You should pass the decrypted credentials to the DriverManager. Just Encrypt the strings, save them in the file like user=adfharjeusfsdf, read the properties String user=props.getProperty("user"), decrypt the user and give it to the DriverManager.getConnection(... decrypt(user)...). – Leonid Glanz Jan 07 '16 at 12:31
  • Thank You very much for clarifying my doubts. Its Very useful and need to apply the same in my scenario. Somewhere I read that "BASE64Decoder" is not recommended. So, do we have a better option than this? – user3048261 Jan 08 '16 at 05:01
  • I have applied the above said to encrypt/decrypt the credentials. For example I have encrypted password say 'Hello'. I have got the encrypted string as 'P5KWwHEfLkk='. If I run it again got something like 'SibK7y4x6sk='. Anyways I have stored password=P5KWwHEfLkk= in properties file. Added code to get password from properties file as passwrd = props.getProperty("password") which returns 'P5KWwHEfLkk='. Now I have added code to decrypt this as DriverManager.getConnection...decrypt(passwrd)..).Then I am getting 'javax.crypto.BadPaddingException: Given final block not properly padded' exception – user3048261 Jan 08 '16 at 05:30