In my application I have a ApplicationConstants.java class that serve for String Constants used in the application.
I have public static final String PASSWORD = "password" as one of the constant. Sonar throws an error for that as below. Kindly let me know if there is a way to handle the same.
Sonar error: Description Assignee Resource New issue Credentials should not be hard-coded : Remove this hard-coded password. EnrollmentConstant.java false
you should either extract it to properties file. Here you can read how to do it
You can also put it on application server as a system property and expect it to be present on production machine (Wildfly server for example) and then read it using System.getProperty(key). This complicates deployment a little bit, but production password will not be present in project.
If you use Spring you can load value to bean using @Value annotation. Here you can read how to do this.
You need to store the Credentials outside of the code in a encrypted configuration file or database.At the Soanr end they have flag for the hardcoded password/username.So keep it in properties file or some other configuration file.Its also not suggested to keep the password in String object due to security reason because it is easy to extract strings from a compiled application.
For me, the main reason to not do this is this scenario: the password changes. Now you have to change the code, recompile, and redeploy. If you have it in a config file (or some other way of not having it directly in the code), you don't have to do all that. Worst case you have to bounce the server. Best case - your code can tell when the config file has changed and picks up the changes on the fly.
