1

I have Spring JPA configuration as below

<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" >
    <property name="driverClassName" value="${jdbc.driverClassName}" />
    <property name="url" value="${jdbc.url}" />  
    <property name="username" value="${jdbc.username}" />
    <property name="password" value="${jdbc.password}" />
</bean>

<bean id="emf" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" >
    <property name="dataSource" ref="dataSource" />
    <property name="jpaVendorAdapter" ref="vendorAdaptor" />         
    <property name="packagesToScan" value="pk.training.model"/>
    <property name="jpaProperties">
        <props>
            ...
            <prop key="hibernate.show_sql">true</prop>              
        </props>        
    </property>
</bean>

I have properties file in which i have password like 

jdbc.password=abc123

When my application runs, spring context loads and makes connection to database. Fine. Now I want to ask suppose i give password in encrypted form, like

jdbc.password=$53ytg#@!

Now how JPA connect to database ? Is there any property by which JPA handles encrypted password by itself or I have to do some thing on my own ?

Thanks.

Basit
  • 8,426
  • 46
  • 116
  • 196
  • possible duplicate of [How to use encrypted password in apache BasicDataSource?](http://stackoverflow.com/questions/3423135/how-to-use-encrypted-password-in-apache-basicdatasource) – lexicore Oct 10 '14 at 18:26
  • Sure you can encrypt the password, but where would you store the decryption key? – holmis83 Oct 13 '14 at 07:38

1 Answers1

1

You have to do this your own. Security wise, it doesn't add much, though. An attacker can

  1. Set a breakpoint in Spring, wait until the bean is created and read the password from the field
  2. Look at your code, find out where you store the key to decrypt the DB password, extract and use your code to decrypt it
  3. Since most DB driver don't encrypt the data exchanged between your app and the database by default, your password (and all the data) is sent as plain text over the wire (unless the database is on the same server as your application).

So in most scenarios, the thing to do is to put the DB user and password in a file on your server's disk and make sure only authorized people can access this file (plus your app can read it). Encrypting the password only adds obscurity, no real security.

Aaron Digulla
  • 321,842
  • 108
  • 597
  • 820