1

I've been searching for a way to avoid hard coding my database credentials into my code base (mainly written in Java), but I haven't found many solutions. I read this post where they said a one way hash could be the answer. Is there another way of securely connecting to a database without running into the risk of someone decompiling your code?

Just to clarify, I'm not looking for code, rather a nudge in the right direction.

justanotherguy
  • 395
  • 4
  • 17

5 Answers5

2

If you can used spring boot application, then you can configure using cloud config method. I have added some postgresql db connection details for your further reference. Please refer following link for spring boot cloud config. spring_cloud

spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://{{db_url}}:5432/{{db_name}}
spring.datasource.username=postgres
spring.datasource.password=
spring.datasource.maxActive=3
spring.datasource.maxIdle=3
spring.datasource.minIdle=2
spring.datasource.initialSize=2
spring.datasource.removeAbandoned=true
spring.datasource.tomcat.max-wait=10000
spring.datasource.tomcat.max-active=3
spring.datasource.tomcat.test-on-borrow=true
Thusitha Indunil
  • 832
  • 1
  • 8
  • 22
1

You could load a config file in your code. Define some kind of file, such as JSON or XML, and define all of your configurations in there. You could point to the file as a command line argument, or just hardcode the file path.

Here's a post talking about parsing JSON config in Java: How to read json file into java with simple JSON library

robbieperry22
  • 1,753
  • 1
  • 18
  • 49
  • If they can decompile the application to get credentials then shipping an application with a file containing credentials doesn't seem much better. – Dave Newton Feb 13 '19 at 12:49
  • The file wouldn't be compiled. If none is provided, the program wouldn't start. – robbieperry22 Feb 13 '19 at 17:54
  • 1
    So you'd ship an uncompiled file... I don't understand how this solves anything at all. The OP is stating that decompiling the code is the issue: this means we're not talking about a web app (or at least not a remote web app). If they can decompile the code it means it's local. If it's local an external file with credentials has the exact same issue as the code. – Dave Newton Feb 13 '19 at 18:19
  • Makes sense. I was thinking more along the lines of something being deployed. – robbieperry22 Feb 13 '19 at 18:22
  • 1
    Yea this would be a simple desktop application, so people would be able to decompile the code and possibly look at any config file that are compiled with the program. – justanotherguy Feb 13 '19 at 18:48
1

You can refer to these post. They are basically just saying to either hash, store it in a property file or use an API. Some of the posts are not merely on Java but you can get ideas from them.

How can I avoid hardcoding the database connection password? https://security.stackexchange.com/questions/36076/how-to-avoid-scripts-with-hardcoded-password https://www.codeproject.com/Articles/1087423/Simplest-Way-to-Avoid-Hardcoding-of-the-Confidenti

Mark Melgo
  • 1,477
  • 1
  • 13
  • 30
1

The solution in our team, database as a service,other application use it's API to get database credentials,the request contains simple credentials like application name.

TongChen
  • 1,414
  • 1
  • 11
  • 21
1

You have several options to avoid hard code values in your source code:

  • Properties using Advanced Platforms
  • Properties from Environment variables
  • Properties from SCM
  • Properties from File System

More details here:

https://stackoverflow.com/a/51268633/3957754

JRichardsz
  • 14,356
  • 6
  • 59
  • 94