wood burning stoves*
The moose likes JDBC and the fly likes Retrieving Database Username and Password Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Retrieving Database Username and Password" Watch "Retrieving Database Username and Password" New topic
Author

Retrieving Database Username and Password

Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
Hi all,

I'm working on an application (being developed on WebSphere application server) and this Java application needs to communicate with another application written in a different language. This other application needs access to the database we're using.

In this case, we have created an application user account that we use to log in to the database. One of our security requirements is that the password on this account be changed every few months. As such, we want it to be stored in a single place and that place should be accessible so that we can modify it down the road. We decided to keep the username and password in the datasource configuration within WAS.

Well, in keeping with our concept of keeping the username/password in one place, we need to actually pass that data to the other application so that it can access the database. Unfortunately, I'm not sure how, within my web application, to pull that information out of the server registry. If I could get it out, passing it to the other application is really no problem, at all.

Anyone know how to get that information out of the server registry? I was looking into using the DatabaseMetaData class and, as appealing as the getAttributes method is, it's only available in version 1.4+ and we're developing on 1.3. I also tried the getURL() method, but no luck there.

Any ideas?

Thanks.


SCJP Tipline, etc.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29241
    
139

Corey,
That problem looks like a doozy. The easiest way is a property file, but I admire your effort to get the password in one place. Have you checked the WebSphere specific APIs? I doubt that they would have such a security breach possible through code, but you never know. (I wouldn't want a rogue app to be able to get the password of any datasource on the server.)

Another approach is to see if it is possible to get the password through wsadmin (jacl). It may be, since you can set it that way. And most wsadmin objects allow you to get all their attributes.

Just out of curiousity, does DatabaseMetaData do what you want? It gives the schema information and the like, but I don't see the password.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Corey McGlone
Ranch Hand

Joined: Dec 20, 2001
Posts: 3271
That problem looks like a doozy. The easiest way is a property file...


I wanted to use a property file, as well. Heck, I'd even put it in the web.xml file as a servlet init parameter, but I was told it would be "more secure" to put it into the datasource configuration.

Honestly, is there anything unsecure about putting the username and password into a .properties file or the web.xml file, either of which would be stored within the WEB-INF directory, which should be secure? I don't know what the problem is with that.

Just out of curiousity, does DatabaseMetaData do what you want? It gives the schema information and the like, but I don't see the password.


DatabaseMetaData gets me some of what I need. In addition to the username and password, I need to be able to send the database name to the other application (as we have multiple databases in multiple environmenets - Dev, Test, and Production). I can get the database name from the getURL() method and I can get the username from the getUsername() method. Unfortunately, I have no way to get the password. That seems to be my hangup.

My favorite solution would be simply to move the database username and password to a properties file or the deployment descriptor. I'm just not sure who I have to sleep with in order to get that done. :roll:
Adeel Ansari
Ranch Hand

Joined: Aug 15, 2004
Posts: 2874
Why not write an encrypted password there in the property file. After getting it, decrypt it in your code.

[edited]
Better decrypt it after getting it transfered to the other app.

How it sounds?
[ April 16, 2005: Message edited by: Adeel Ansari ]
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 29241
    
139

Originally posted by Corey McGlone:
Honestly, is there anything unsecure about putting the username and password into a .properties file or the web.xml file, either of which would be stored within the WEB-INF directory, which should be secure? I don't know what the problem is with that.


Corey,
There isn't anything inherently insecure about using an (encrypted) property file. You lose the advantages of J2C for security, but it's a tradeoff between that and having the password in one place. I'm not sure how WAS 6 handles passwords in property files vs datasources. You may want to check so the solution you pick is somewhat forward compatible.

Of the two choices, a favor a property file over the web.xml. It's somewhat more independent of your app.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Retrieving Database Username and Password
 
Similar Threads
Converting an application to Java (new to Java)
Accessing LDAP Registry using Java API
Authentication is not requiring password
Secure Access to a Database?
IBM HttpServer and websphere Appserver