Angus
asked on
Storing Passwords in a Web Application
Folks,
I have a design question that I hope you can answer. We are currently developing a web application based onTomcat/JSP with a MS SQL database.
The data on the database is sensitive and must be kept secure. As the data needs to be read by several people, we have not implemented one-way encryption on the data. Instead we have used anencryption algorithm which is based on a 64 character key.
Our issue is this: Where to store this key and where to store the log on details for the database?
At the moment they are hardcoded into the JSP code. We have considered storing them in a file on the server, but it hits performance to much to be reading data from file every time the user accesses the database.
We also have a question on whether to use one key for all data or to manage seperate keys by record/customer.
I am sure this is not a new problem that we are facing and I turn to you resident experts for guidance.
I have a design question that I hope you can answer. We are currently developing a web application based onTomcat/JSP with a MS SQL database.
The data on the database is sensitive and must be kept secure. As the data needs to be read by several people, we have not implemented one-way encryption on the data. Instead we have used anencryption algorithm which is based on a 64 character key.
Our issue is this: Where to store this key and where to store the log on details for the database?
At the moment they are hardcoded into the JSP code. We have considered storing them in a file on the server, but it hits performance to much to be reading data from file every time the user accesses the database.
We also have a question on whether to use one key for all data or to manage seperate keys by record/customer.
I am sure this is not a new problem that we are facing and I turn to you resident experts for guidance.
You can use a servlet to load the data, and have a couple of static methods to return the values...
Just set the load-on-startup flag in web.xml
http://forum.java.sun.com/thread.jspa?threadID=606542&tstart=0
Just set the load-on-startup flag in web.xml
http://forum.java.sun.com/thread.jspa?threadID=606542&tstart=0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If someone has direct access to the machine its running on, there is basically nothing you can do to stop them gaining access to your sensetive data...
it's only a matter of time...
it's only a matter of time...
GrandSchtroumpf & TimYates
Thanks for all your advice - indeed you have given me direction. I have though a couple of followup questions.
1) Are there any methods for handling the properties file or do I have to result to reading a text file and parsing it.
2) What is your recommendation for handling passwords in server.xml. At the moment we are using connection pools in server.xml, and the passwords are open for viewing by anyone with access to my files.
Cheers
Angus
Thanks for all your advice - indeed you have given me direction. I have though a couple of followup questions.
1) Are there any methods for handling the properties file or do I have to result to reading a text file and parsing it.
2) What is your recommendation for handling passwords in server.xml. At the moment we are using connection pools in server.xml, and the passwords are open for viewing by anyone with access to my files.
Cheers
Angus
ASKER
ouch...how did that happen.... must still have an old log in with ae1974...... so much for security eh?
regards
Angus
regards
Angus
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TimYates & GrandSchtroumpf
Many thanks for your help. Very solid and sound replies and now our DB is secure!!
All the best. I have split the points between you.
Regards
Angus
Many thanks for your help. Very solid and sound replies and now our DB is secure!!
All the best. I have split the points between you.
Regards
Angus
Cd&