1

I've been searching for a way to avoid hard coding my database credentials into my code base (mainly written in Java), but I haven't found many solutions. I read this post where they said a one way hash could be the answer. Is there another way of securely connecting to a database without running into the risk of someone decompiling your code?

Just to clarify, I'm not looking for code, rather a nudge in the right direction.

Improve this question

5 Answers 5

Reset to default
2

If you can used spring boot application, then you can configure using cloud config method. I have added some postgresql db connection details for your further reference. Please refer following link for spring boot cloud config. spring_cloud

spring.datasource.driverClassName=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://{{db_url}}:5432/{{db_name}}
spring.datasource.username=postgres
spring.datasource.password=
spring.datasource.maxActive=3
spring.datasource.maxIdle=3
spring.datasource.minIdle=2
spring.datasource.initialSize=2
spring.datasource.removeAbandoned=true
spring.datasource.tomcat.max-wait=10000
spring.datasource.tomcat.max-active=3
spring.datasource.tomcat.test-on-borrow=true
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You could load a config file in your code. Define some kind of file, such as JSON or XML, and define all of your configurations in there. You could point to the file as a command line argument, or just hardcode the file path.

Here's a post talking about parsing JSON config in Java: How to read json file into java with simple JSON library

Improve this answer

5 Comments

If they can decompile the application to get credentials then shipping an application with a file containing credentials doesn't seem much better.
The file wouldn't be compiled. If none is provided, the program wouldn't start.
So you'd ship an uncompiled file... I don't understand how this solves anything at all. The OP is stating that decompiling the code is the issue: this means we're not talking about a web app (or at least not a remote web app). If they can decompile the code it means it's local. If it's local an external file with credentials has the exact same issue as the code.
Makes sense. I was thinking more along the lines of something being deployed.
Yea this would be a simple desktop application, so people would be able to decompile the code and possibly look at any config file that are compiled with the program.
1

You can refer to these post. They are basically just saying to either hash, store it in a property file or use an API. Some of the posts are not merely on Java but you can get ideas from them.

How can I avoid hardcoding the database connection password? https://security.stackexchange.com/questions/36076/how-to-avoid-scripts-with-hardcoded-password https://www.codeproject.com/Articles/1087423/Simplest-Way-to-Avoid-Hardcoding-of-the-Confidenti

Improve this answer

Comments

1

The solution in our team, database as a service,other application use it's API to get database credentials,the request contains simple credentials like application name.

Improve this answer

3 Comments

How would I go about making a simple API of that sort? Are there any resources you know of?
@justanotherguy as far as I know there is no library for this,but create a API for this is simple,you can create a rest api(database as server).
There are several ways to do it. Check stackoverflow.com/a/51268633/3957754
1

You have several options to avoid hard code values in your source code:

  • Properties using Advanced Platforms
  • Properties from Environment variables
  • Properties from SCM
  • Properties from File System

More details here:

https://stackoverflow.com/a/51268633/3957754

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.