[Webappsec] Java security & tomcat with DB credentials
Steven Whatmore
Stevenw at sigmasoft.ca
Thu Apr 19 10:35:33 EDT 2007
Good morning,
I am looking for some strategies for maintaining the security of the DB
credentials in a Tomcat Java / JSP application.
As is the standard in almost all Java / JSP application running in the
context of a Tomcat server, the credentials for connecting to the
database are maintained in some form in a properties file, whether that
is the context.xml or some other properties file. These credentials are
maintained in clear text, so that if the security of the application
server is breached, any informed hacker would only have to look in these
property files to gain the credentials for accessing the DB.
The question then is how to properly secure these credentials so that
the application can still connect to the DB securely, while at the same
time allowing the application to be started / restarted without operator
intervention (i.e. on server crash and restart having the application
start up automatically without an operator having to key in the
credentials manually).
Any thoughts or strategies?
Thanks in advance.
Whatty
More information about the Webappsec
mailing list