aspose file tools*
The moose likes Spring and the fly likes Secure DataSource configuration in Spring Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Secure DataSource configuration in Spring" Watch "Secure DataSource configuration in Spring" New topic
Author

Secure DataSource configuration in Spring

John McParland
Ranch Hand

Joined: May 11, 2009
Posts: 92

I am writing a web application using Java/Spring and MySQL.

At the moment I have a datasource configured as follows;



But the "password" property concerns me. It seems wrong to pass the data source the password explicitly.

I have taken some measures to improve the security of my app including;

  • chaning the root password
  • giving my application a userid/password for it alone
  • ensuring my apps user id can only access the database it needs (and only do what it needs)


  • But I'm not sure how to configure the data source in a more secure manner. I'd imagine anything which requires a password property at all is off the table.

    How do others securely configure their data sources?

    Thanks,

    John

    Passed: SCJP 6 (90%), SCJD 6
    Other: Spring training, extensive Swing experience
    Bill Gorder
    Bartender

    Joined: Mar 07, 2010
    Posts: 1649
        
        7

    Typically in enterprise applications I have worked on we as application developers use jndi to get the database connection, and all the details such as username password are configured by a different group responsible for maintaining that information and setting it up in the J2EE server.

    Alternatively you could encrypt the properties file using Jasypt. Of course doing this alone is not enough you would also want to store your encryption passoword in the environment to be used by the application during startup and then you would remove it from the envionment afterwards. There is a nice example of this approach in Spring in Action 3rd edition. I would recommend picking this book up as it is a good read anyway otherwise I am sure google could provide some good examples as well.

    Thanks,

    [How To Ask Questions][Read before you PM me]
    John McParland
    Ranch Hand

    Joined: May 11, 2009
    Posts: 92

    Thanks Bill. The idea of using JNDI and the username/password being configured separately on the server sounds about right. I like how it means the code can be entirely separated from the authentication.

    I've got the Spring In Action book but haven't come across that example yet. I'll give it a go.

    Thanks
    Manish Sridharan
    Ranch Hand

    Joined: Jul 19, 2005
    Posts: 64
    Quite agree JNDI would be a better way to go for it. Perhaps you can have a look on this link :Configure JNDI with Spring

    Thanks,


    Manish S.
    John McParland
    Ranch Hand

    Joined: May 11, 2009
    Posts: 92

    Manish Sridharan wrote:Quite agree JNDI would be a better way to go for it. Perhaps you can have a look on this link :Configure JNDI with Spring

    Thanks,


    Thanks - I'll certainly use it!
    John McParland
    Ranch Hand

    Joined: May 11, 2009
    Posts: 92

    Hi again.

    I tried the example based on Tomcat JNDI Datasource Examples - HOWTO for MySQL and also section 5.2.1 of Spring In Action (2nd Edition) but I haven't had any luck.

    Here's what I've got now.

    In XAMPP (the web server I'm using for testing just now); I've got a Context.xml file in this location C:\xampp\tomcat\conf\Catalina\localhost
    It looks as follows;



    Then in my Spring Beans property file I have



    And finally some noddy Java code



    Unfortunately when I run this I get an exception;



    I'm not sure exactly where it's gone wrong. Any ideas anyone?

    Thanks,

    John
    Manish Sridharan
    Ranch Hand

    Joined: Jul 19, 2005
    Posts: 64
    Just had a glance on the stack trace. it seems either jndi is not initialized properly or it has not retrieved properly in the application. You can try following things to check that.

    1. Try changing to
    I think forward slash might not be required.

    2. Create simple main class and try to get datasource object directly from jndi. Try with runtime debugging, it will give lot more information on the jndi.

    Another important thing, please initialize log4j properties file and set it to debug level for spring classes. this will give you more logging information where in spring it has failed.
    I generally attached the spring source code while debugging to see where the application is failing.


    Thanks
    John McParland
    Ranch Hand

    Joined: May 11, 2009
    Posts: 92

    Manish Sridharan wrote:Just had a glance on the stack trace. it seems either jndi is not initialized properly or it has not retrieved properly in the application. You can try following things to check that.

    1. Try changing to
    I think forward slash might not be required.

    2. Create simple main class and try to get datasource object directly from jndi. Try with runtime debugging, it will give lot more information on the jndi.

    Another important thing, please initialize log4j properties file and set it to debug level for spring classes. this will give you more logging information where in spring it has failed.
    I generally attached the spring source code while debugging to see where the application is failing.


    Thanks


    Thanks Manish. I tried suggestion one and put trace logging on for all. I'm not sure exactly where I could put a breakpoint on since it fails early on.

    Manish Sridharan
    Ranch Hand

    Joined: Jul 19, 2005
    Posts: 64


    From this log it seems, jndi object itself is not created. You should check if your context.xml is getting loaded in your application or not. As far as I can see from the log, it is not getting loaded.

    Thanks
    Dariusz Majewski
    Greenhorn

    Joined: Apr 12, 2012
    Posts: 1
    Hi John,

    You've just created a simple java application with spring context that doesn't know anything about tomcat.

    After you've defined db resource in tomcat, to be able to use it, you have to create a web application and deploy it in tomcat.

    In your web.xml you you'll have to add something like this:



    and to quickly test if it works you can create a simple servlet which will use WebApplicationContextUtils to retrieve spring context and your bean.

    hope this helps.


    Dariusz
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Secure DataSource configuration in Spring