?
Solved

Storing Passwords in a Web Application

Posted on 2005-05-16
8
Medium Priority
?
201 Views
Last Modified: 2010-04-06
Folks,

I have a design question that I hope you can answer.  We are currently developing a web application based onTomcat/JSP with a MS SQL database.

The data on the database is sensitive and must be kept secure.  As the data needs to be read by several people, we have not implemented one-way encryption on the data.  Instead we have used anencryption algorithm which is based on a 64 character key.

Our issue is this:  Where to store this key and where to store the log on details for the database?

At the moment they are hardcoded into the JSP code.  We have considered storing them in a file on the server, but it hits performance to much to be reading data from file every time the user accesses the database.  

We also have a question on whether to use one key for all data or to manage seperate keys by record/customer.

I am sure this is not a new problem that we are facing and I turn to you resident experts for guidance.
0
Comment
Question by:amacfarl
8 Comments
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 14009527
You don't need to read the file every time all you need is a class for you listener that loads the file on initialization and then has a getter method for returning the password data..

Cd&
0
 
LVL 35

Expert Comment

by:TimYates
ID: 14010246
You can use a servlet to load the data, and have a couple of static methods to return the values...

Just set the load-on-startup flag in web.xml

http://forum.java.sun.com/thread.jspa?threadID=606542&tstart=0
0
 
LVL 30

Accepted Solution

by:
GrandSchtroumpf earned 1000 total points
ID: 14010306
It's much better to save the key and connection parameters in a file (make sure you set the file premissions so that only the application can read it).

Ad Cd& said, you don't need to read the file each time you want to connect to the database.
But you should definitely NEVER define a getter method that returns your password or key or any sensitive data.

You can write a connection class that holds all the connection parameters in PRIVATE data members without ANY getters.
The class constructor should read the file and set the values of the private connection parameters.
Then you can define a method that connects to the DB using the private data and returns the connection handle.

For additional security you can encrypt the parameters file and use a hardcoded key to decrypt the content of the file.
This way if someone gains direct access to the file, (s)he will need the hardcoded key to read it.
If you have several different applications that access the database, you can use different hardcoded keys, so each file will be different.

Note that java hard-coded Strings appear unchanged in the compiled class file when the file is opened in a text editor.
So, if you are completely paranoid, you can use some string manipulation to build your hard-coded key.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 35

Expert Comment

by:TimYates
ID: 14010339
If someone has direct access to the machine its running on, there is basically nothing you can do to stop them gaining access to your sensetive data...

it's only a matter of time...
0
 

Expert Comment

by:ae1974
ID: 14011043
GrandSchtroumpf & TimYates

Thanks for all your advice - indeed you have given me direction.  I have though a couple of followup questions.

1) Are there any methods for handling the properties file or do I have to result to reading a text file and parsing it.

2) What is your recommendation for handling passwords in server.xml.  At the moment we are using connection pools in server.xml, and the passwords are open for viewing by anyone with access to my files.

Cheers
Angus


0
 
LVL 2

Author Comment

by:amacfarl
ID: 14011061
ouch...how did that happen.... must still have an old log in with  ae1974...... so much for security eh?

regards
Angus
0
 
LVL 35

Assisted Solution

by:TimYates
TimYates earned 1000 total points
ID: 14011109
>>  ouch...how did that happen.... must still have an old log in with  ae1974...... so much for security eh?

Hehe, you'd better get in touch with a moderator, and get them to delete one of your accounts...  

If they catch you with 2, they tend to get upset :-/ ;-)

>> Are there any methods for handling the properties file or do I have to result to reading a text file and parsing it.

There is the java.util.Properties class: see;

http://javaalmanac.com/egs/java.util/Props.html
http://javaalmanac.com/egs/java.util/GetSetProps.html

>> What is your recommendation for handling passwords in server.xml.  At the moment we are using
>> connection pools in server.xml, and the passwords are open for viewing by anyone with access to my files.

Do other people have access to the files?  I would tighten up access restrictions if you can so only admins and the website process have access...

You can encrypt them as GrandSchtroumpf says, and decrypt them by using a method in your java application, but that could end up being a lot of effort that is generally easily undone with a Java decompiler, so you are best off putting your efforts to tightening access, firewalls, etc...

Moving the password out of the config files is much like putting an extra bolt on your front door.  It will slow some people down, put off others, but have no effect to a determined theif with a powerful shoulder :-(

Tim
0
 
LVL 2

Author Comment

by:amacfarl
ID: 14021308
TimYates & GrandSchtroumpf

Many thanks for your help.  Very solid and sound replies and now our DB is secure!!

All the best.  I have split the points between you.
Regards
Angus
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the sites are being standardized with W3C Web Standards. W3C provides lot of web standard services to the web. They have the web specification, process and documentation for all the web standards. You can apply HTML, CSS and Accessibility st…
Preface This article introduces an authentication and authorization system for a website.  It is understood by the author and the project contributors that there is no such thing as a "one size fits all" system.  That being said, there is a certa…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question