2

I have submitted my JAVA EAR to Veracode Security tool and got an issue of Plaintext Storage of a Password on the following code: 

ApplicationProperties   app = new ApplicationProperties(fileProp);
String sqlServerPassword = app.getAppProperty("sqlServerPassword");  
con = DriverManager.getConnection(sqlServerConnectString, sqlServerUserID, sqlServerPassword);

And in properties file I have stored the value of this password.
Someone please help me to resolve this issue.

user1782009
  • 299
  • 4
  • 15
  • 32
  • The obvious answer is "Don't store the password in plain text," but I'm guessing your *real* question is, how do you store it otherwise and still use it to connect. (For instance, should you have a public key admins can use to generate a password string for the file, which you then decode using a private key embedded in your app, that kind of thing...) – T.J. Crowder Apr 23 '13 at 08:48
  • Ya that is my question.What do you exaclty mean by public key? – user1782009 Apr 23 '13 at 08:53
  • @user1782009 Wow, you have a lot to read here: http://en.wikipedia.org/wiki/Public-key_cryptography – Rubén Apr 23 '13 at 08:55
  • @Khanserthanks for the link..but it includes only theory part..could you please provide me any practical implementation of how to store my password other then storing it in plain text? – user1782009 Apr 23 '13 at 09:04

2 Answers2

1

Since you say you have an enterprise application (an EAR), then you are going to be deploying this to an application server. The normal way of handling database connections in enterprise applications is to let the server manage a connection pool as a resource. Your application can then lookup the connection pool using JNDI and get a connection.

As you configure the connection pool on the server the application never needs to know the details (such as the db server, username or password) its all managed server side. Security comes from the in-built access control mechanism on your server.

Have a read of the docs for your application server, its likely there will be specific instructions telling you how to configure a connection pool as a JNDI resource.

Qwerky
  • 18,217
  • 6
  • 44
  • 80
  • You mean something like the this... InitialContext itx = new InitialContext(); DataSource dts = (DataSource)itx.lookup(url); con = dts.getConnection(hsUserId, sqlServerPassword); but then also i need to store this password somewhere..right? – user1782009 Apr 23 '13 at 09:08
  • @user1782009 - `DataSource` also has a `getConnection()` method. See http://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource-examples-howto.html#Oracle_8i,_9i_&_10g for an example of how it works on tomcat. – Qwerky Apr 23 '13 at 09:16
  • Ya..but then how will it take credentials to connect to the database if i only use getConnection()? – user1782009 Apr 23 '13 at 09:28
  • @user1782009 because you give the credentials to the datasource when you create it on the server. It stores them internally. – Qwerky Apr 23 '13 at 09:48
0

If your application relies on SQL authentication, credentials must be protected in configuration files. Use a protected configuration provider to encrypt connection strings before storing them in configuration files.

Have a look at the following article:

http://scribblejava.wordpress.com/2010/03/23/encrypt-username-and-password-for-jndi-in-tomcat-server-xml/

Fabio @fcerullo

fcerullo
  • 621
  • 4
  • 3