How to connect to a database that requires password without exposing the password?

ceklock picture ceklock · Jun 19, 2012 · Viewed 13.7k times · Source

I am creating an application and I need to connect to a database. The database requires login/password so the application can do operations like select and insert.

In the application I need to connect to the database using login and password, so the application is free to do some tasks on the database. My question is: how do I store and use a password to connect to the database without exposing the password?

I can't simply use a hash or encryption to store the password because the database must recognize the password (I think most or all databases must receive password as plain text).

.

.

Note: The connection is made by the application. No human input to do the connection.

(Edit)More info about the application: it is a web application using servlets/jsp. The database is on the same server of the application. The user for the application is a default user without complete admin powers, but it may insert/delete rows and do most things that involve queries and data modification in tables.

Answer

Bohemian picture Bohemian · Jun 19, 2012

The usual way this is done is to externalize the username/password to a property/config file which is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).

The file is protected via the O/S security by the sysadmins.

The O/S has better tools for protection than app code.