wood burning stoves 2.0*
The moose likes Java in General and the fly likes Passwords Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Passwords" Watch "Passwords" New topic
Author

Passwords

colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Hi, quite a general question here...

Supposing I have a web project on a server (as a war file) for example,
and this code requires my googlemail password so that it can send emails via smtp.

Currently I would just put my password in with the code (hard coding it in).
But if the war file could be downloaded from site, then possibly the password could be retrieved.

So I'm thinking possibly put the password in the sql database on the same server, and then just retrieve it when needed.
Also I was looking at encryption and decryption, but I don't know how that would help, I think I need to store password in database where its safe.

Any thoughts?

Thanks
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18708
    
    8

colin shuker wrote:But if the war file could be downloaded from site, then possibly the password could be retrieved.


True. But web sites typically don't allow that. Do you have one which does? Then you really ought to stop allowing it. If not, then what's the concern?
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Thanks, I am able to download my war files from my website.

I just put them in the root directory, and when I enter www.mysitename.com/warfilename.war
I am able to download.

I'm not sure how one would prevent this.

Any thoughts? Thanks
colin shuker
Ranch Hand

Joined: Apr 11, 2005
Posts: 744
Ok, seems I can turn off the 'read' option in the file permissions, and this works
Wouter Oet
Saloon Keeper

Joined: Oct 25, 2008
Posts: 2700

Which server do you use?


"Any fool can write code that a computer can understand. Good programmers write code that humans can understand." --- Martin Fowler
Please correct my English.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Well if you just put a war file in your document root, sure, it's just a file. But why would you put your war file there?
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19723
    
  20

I suggest you follow this thread as well. It handles roughly the same issue.

I'll repeat my suggestion from that thread: put your sensitive configuration files in the WEB-INF folder. According to the servlet container specification, none of the files and folders inside may be accessible directly through requests, only through JSP / servlet code.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Passwords