4

i was looking over the similarly questions but i didn't find the right answer and i think that there has to be some secure solution.

I have the client- server application. The clients are connecting to the central MySQL database which is on server. My problem is how to secure store database password on client desktop application. For now i am storing it in crypt form in java properties file. But properties files are readable and also after decompiling my application everybody can see which crypt function i use for encoding the password and can easily get the password. So i think that there is no way how to secure store the db password in client application, am I right?

The solution can be that the client application will do some handshake with the server to get the database password, is there any rules or patterns how to do this handshake?

HPCS
  • 1,434
  • 13
  • 22
  • 1
    I found exhaustive answer for this question: http://stackoverflow.com/questions/442862/how-can-i-protect-mysql-username-and-password-from-decompiling/442872#442872 – HPCS Nov 20 '11 at 18:10

1 Answers1

3

Take a look at OAuth for authorization.

Alex Reynolds
  • 95,983
  • 54
  • 240
  • 345
  • I don't see how this helps protect a database password? You would need an OAuth webservice on the server to supply passwords to validated clients - do you know of such a thing? – Simon G. May 29 '11 at 11:06
  • No, but you could probably build one with the right frameworks. – Alex Reynolds May 29 '11 at 20:02
  • I agree with Simon G., OAuth is a good solution for you for authentication since it only stores a Token on the local client's machine. More fundamental than that however, I would strongly recommend putting an appserver between your client and the database. It's not a good idea to expose your DB to the Internet on an open port, it is potentially a much greater threat than storing passwords in your jar. If you really still want to talk directly to the DB, you could configure your application server to proxy requests from authorized users to the DB. Again, I'd use OAuth for authentication. – gwood Jun 06 '11 at 20:16