1

I usually keep database connection information including username/password in .properties file or in .xml file.Is there a way to make this more secure? I mean on directory level someone can easily edit the file and connect to database.

thanks

I use spring framework spring security and jsf 2 tools.I am actually looking for a solution other than handling file level authorization.Users can be granted access on linux and windows.Adding some paranioa I even would like to hide it from authorized users. I don t want the authorized users to see username/password information in plain text.

thanks for replies

Improve this question

3 Answers 3

Reset to default
1

You can encrypt those files and then use them. Though it will increase the overhead of encryption/decryption.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You can make the connection string unaccessible for unauthorized users. this is a simple issue of permissions and simply revoking all unnecessary permission on your config file is enough. However you cannot protect the connection string from authorized users, and that always include all members of the local Administrators group and the user that runs the application.

There are ways to encrypt the connections string too, as configuration do support encryption, see Encrypting and Decrypting Configuration Sections. But this is a means to protect against accidental media loss (your HDD turns out in a flea market). Cryptography does not add any real protection more that file level authorization because the application itself needs to decrypt the configuration. I'm emphasizing this because all too often questions like yours actually mean a DRM enforcing question, how to ensure the user using the application does not see or modify some part of the application.

someone can easily edit the file and connect to database

I hope you mean 'someone can easily cause the application to connect to a different database' and this should be easy for authorized users. If you're trying to hide what database you're connecting to you're really barking up the wrong tree because that is visible in a myriad other ways.

Improve this answer

Comments

0

Take a look here It look like that, from the link i gave here.

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.