Supposing I have a web project on a server (as a war file) for example,
and this code requires my googlemail password so that it can send emails via smtp.
Currently I would just put my password in with the code (hard coding it in).
But if the war file could be downloaded from site, then possibly the password could be retrieved.
So I'm thinking possibly put the password in the sql database on the same server, and then just retrieve it when needed.
Also I was looking at encryption and decryption, but I don't know how that would help, I think I need to store password in database where its safe.
I suggest you follow this thread as well. It handles roughly the same issue.
I'll repeat my suggestion from that thread: put your sensitive configuration files in the WEB-INF folder. According to the servlet container specification, none of the files and folders inside may be accessible directly through requests, only through JSP / servlet code.