1

In my application build on Hibernate 5.2.11 there are many hibernate configuration file with username, password and connection url. I would like to encrypt that data.

My configuration file is like this:

<hibernate-configuration>

<session-factory>

    <!-- Database connection settings -->
    <property name="connection.driver_class">oracle.jdbc.driver.OracleDriver</property>

    <property name="connection.url">jdbc:oracle:localhos</property>
    <property name="connection.username">username</property>
    <property name="connection.password">passowrd123</property>

    <!-- JDBC connection pool (use the built-in) -->
    <property name="connection.pool_size">2</property>

    <!-- SQL dialect -->
    <property name="dialect">org.hibernate.dialect.Oracle12cDialect</property>
    <!-- Disable the second-level cache -->
    <property name="cache.provider_class">org.hibernate.cache.internal.NoCacheProvider</property>
    <!-- Echo all executed SQL to stdout -->
    <property name="show_sql">false</property>

</session-factory>

</hibernate-configuration>

Any suggestion?

D.Bertini
  • 29
  • 5

2 Answers2

0

Use a property placeholder then add your database config to a properties file on the server:

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="location">
    <value>file:${configDir}/database.properties</value>
  </property>
</bean>

Then

<property name="connection.url">${url}</property>
<property name="connection.username">${username}</property>
<property name="connection.password">${passowrd}</property>

Then your database.properties which is securely on the server will be

url=jdbc:oracle:localhost
usuername=username
password=passowrd123

Then when you start your java app add a system parameter to define the configDir location, for example:

 .... -DconfigDir=/opt/config

See examples here

Essex Boy
  • 7,565
  • 2
  • 21
  • 24
  • This doesn't look like encryption. Now days security doesn't want passwords in plain text in the properties files. – pitchblack408 Aug 07 '18 at 23:23
  • @pitchblack408 They are secure on the server, only the application can see them. If you encrypt them how do you avoid having the key in a properties file? You can use a password vault but you still need the key to the vault in a properties file. Securing them is more reliable that encrypting them. – Essex Boy Aug 08 '18 at 07:11
  • I had the same question for security. The answer was that it makes a hacker have to go through more effort to find the keyfile or keystore. I am using java and sometimes .net. But I imagine using a scripting language like java script, PHP, etc. makes it easier for a hacker to find a key because all they have to do is comb the source code with grep and they can file the location of where the key is stored and how to access it. With a complied language, someone would have to know how to use a decompiler. – pitchblack408 Aug 08 '18 at 17:17
  • @pitchblack408 you are completely missing the point, in my solution there is no properties in the source code, only placeholders. The actual properties on on the server and accessed at run time. – Essex Boy Aug 09 '18 at 07:18
  • I understand your solution, but the title of this post was Hibernate 5.2 encrypt configuration... I don’t know why he accepted your answer because it has nothing to do with encryption. In your solution, there is nothing about encryption or decryption. It was informative though, because I have always excluded the properties file from the build and change the class path to pick up the file from somewhere else on the server. – pitchblack408 Aug 09 '18 at 08:40
0

Generally - encrypting/hiding anything what resides on the client's side (workstation/mobile/..) you can consider more like obfuscation or encoding.

In theory - you may set the Hibernate properties programatically (see Setting properties programmatically in Hibernate) reading your data from an encrypted file.

The problem is - where do you put your encryption keys? The keys has to be available to the application anyway somewhere.

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Security said that they should be hidden on the server. As for getting the hibernate.connection.password to be set programmatically, I am having issues. Seem like it is still trying to use the one in the xml file. – pitchblack408 Aug 07 '18 at 23:43
  • @pitchblack408 this is exactly what my answer does?? – Essex Boy Aug 08 '18 at 07:20
  • @EssexBoy, this is what I wanted to do. https://stackoverflow.com/questions/51736887/how-to-set-the-hibernate-connection-password-as-an-encrypted-value-in-hibernate – pitchblack408 Aug 08 '18 at 17:04