Link to home
Start Free TrialLog in
Avatar of Angus
AngusFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Storing Passwords in a Web Application

Folks,

I have a design question that I hope you can answer.  We are currently developing a web application based onTomcat/JSP with a MS SQL database.

The data on the database is sensitive and must be kept secure.  As the data needs to be read by several people, we have not implemented one-way encryption on the data.  Instead we have used anencryption algorithm which is based on a 64 character key.

Our issue is this:  Where to store this key and where to store the log on details for the database?

At the moment they are hardcoded into the JSP code.  We have considered storing them in a file on the server, but it hits performance to much to be reading data from file every time the user accesses the database.  

We also have a question on whether to use one key for all data or to manage seperate keys by record/customer.

I am sure this is not a new problem that we are facing and I turn to you resident experts for guidance.
Avatar of COBOLdinosaur
COBOLdinosaur
Flag of Canada image

You don't need to read the file every time all you need is a class for you listener that loads the file on initialization and then has a getter method for returning the password data..

Cd&
Avatar of TimYates
You can use a servlet to load the data, and have a couple of static methods to return the values...

Just set the load-on-startup flag in web.xml

http://forum.java.sun.com/thread.jspa?threadID=606542&tstart=0
ASKER CERTIFIED SOLUTION
Avatar of GrandSchtroumpf
GrandSchtroumpf

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If someone has direct access to the machine its running on, there is basically nothing you can do to stop them gaining access to your sensetive data...

it's only a matter of time...
Avatar of ae1974
ae1974

GrandSchtroumpf & TimYates

Thanks for all your advice - indeed you have given me direction.  I have though a couple of followup questions.

1) Are there any methods for handling the properties file or do I have to result to reading a text file and parsing it.

2) What is your recommendation for handling passwords in server.xml.  At the moment we are using connection pools in server.xml, and the passwords are open for viewing by anyone with access to my files.

Cheers
Angus


Avatar of Angus

ASKER

ouch...how did that happen.... must still have an old log in with  ae1974...... so much for security eh?

regards
Angus
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Angus

ASKER

TimYates & GrandSchtroumpf

Many thanks for your help.  Very solid and sound replies and now our DB is secure!!

All the best.  I have split the points between you.
Regards
Angus