Re: connect with Java to Oracle without clear text password in code

• From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
• To: aluoor@xxxxxxxxx
• Date: Wed, 13 Apr 2011 11:02:29 +0100

Your installPath variable rather suggests that you are using the Jboss
application server to deploy this application :). Jboss (and all J2EE
application servers in fact) support a technology called JNDI (eg
http://docs.jboss.org/jbossweb/3.0.x/jndi-resources-howto.html). That would
in general be a better approach for your database connection management.
Depending on the application server the database password may still be
stored in plain text in a configuration file on the application server but
it won't be stored in the code and is the responsibility of the various
admins to maintain. It also of course means that you can develop against a
db that you know the password to and deploy in production without ever being
aware of the production password, it's change policy and so on. Your new
code would end up looking like



DataSource ds = (DataSource) envCtx.lookup("jdbc/myApp");

Connection cn = ds.getConnection();

createOutputOne();
createOutputTwo();
createOutputTree();
createOutputFour();

cn.close();



On Wed, Apr 13, 2011 at 9:11 AM, Sven Aluoor <aluoor@xxxxxxxxx> wrote:

> Hi folks
>
> Here an snipped of the code
>
> public class ScriptOutput {
>
>        private static String installPath = "//opt//jboss//tools//copy//";
>        private static String host = "mz007542.internal.hosts", port =
> "1521", sid = "ISSPDB",
>                        dbuser = "issdbuser", pw = "5s8yk5sbm3sj7";
>
>        private static Connection cn;
>
>        public static void main(String[] args) {
>
>                try {
>
>  Class.forName("oracle.jdbc.driver.OracleDriver").newInstance();
>                        String url = "jdbc:oracle:thin:@" + host + ":" +
> port + ":" + sid;
>                        cn = DriverManager.getConnection(url, dbuser, pw);
>                } catch (SQLException e) {
>                        e.printStackTrace();
>                } catch (InstantiationException e) {
>                        e.printStackTrace();
>                } catch (IllegalAccessException e) {
>                        e.printStackTrace();
>                } catch (ClassNotFoundException e) {
>                        e.printStackTrace();
>                }
>                createOutputOne();
>                createOutputTwo();
>                createOutputTree();
>                createOutputFour();
>        }
>
> You see there is a clear text password for connecting to remote DB
> instance. I have no access to remote DB instance, only unprivileged
> user.
> How to not write clear text password in the Java code (without
> modifying remote Oracle server)?
>
> Any good ideas for better security? Please give detailed instructions
> because have almost no experience with Java.
>
> cheers Sven
> --
> //www.freelists.org/webpage/oracle-l
>
>
>


-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

• References:
  • connect with Java to Oracle without clear text password in code
    • From: Sven Aluoor

Other related posts:

• » connect with Java to Oracle without clear text password in code- Sven Aluoor
• » Re: connect with Java to Oracle without clear text password in code- Connor McDonald
• » Re: connect with Java to Oracle without clear text password in code - Niall Litchfield

1. Home
2. oracle-l
3. Archive
4. 04-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---