tags:

views:

3393

answers:

5
+3  Q: 

How to avoid storing passwords in the clear for tomcat's server.xml Resource definition of a DataSource?

The resource definition in tomcat's server.xml looks something like this...

<Resource
name="jdbc/tox"
scope="Shareable"
type="javax.sql.DataSource"
url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"
driverClassName="oracle.jdbc.pool.OracleDataSource"
username="tox"
password="toxbaby"
maxIdle="3"
maxActive="10"
removeAbandoned="true"
removeAbandonedTimeout="60"
testOnBorrow="true"
validationQuery="select * from dual"
logAbandoned="true"
debug="99"/>

The password is in the clear. How to avoid this?

A: 

This question has also come up a few times on tomcat-user, where server.xml has the problem (JNDI DataSource configuration requires plain text database password).

AFAIK, prior to Tomcat 6.0, the only option is to develop your own custom JNDI Resource that does the crpto or obfuscates the database password in code and work directly with dbcp to set up the connections. Key management will be a pain. Unless you want a human to have to enter a password to "unlock" the crypto key at startup time, the encryption key has to be stored somewhere.

In Tomcat 6.0 you can see the documentation about Digested Passwords [1] . Not sure about if that also applies to Datasources.

[1]: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested Passwords

Guido  2008-09-24 19:19:25
The Digested Passwords reference there has nothing to do with datasource passwords.
Sindri Traustason  2009-05-18 13:29:47
A: 

We use C#'s SHA1CryptoServiceProvider 

print(SHA1CryptoServiceProvider sHA1Hasher = new SHA1CryptoServiceProvider();
        ASCIIEncoding enc = new ASCIIEncoding();

        byte[] arrbytHashValue = sHA1Hasher.ComputeHash(enc.GetBytes(clearTextPW));
        string HashData = System.BitConverter.ToString(arrbytHashValue);
        HashData = HashData.Replace("-", "");
        if (HashData == databaseHashedPassWO)
        {
            return true;
        }
        else
        {
            return false;
        });

)

Brad8118  2008-09-24 19:19:46
Not sure what this has to do with tomcat config files.
dacracot  2008-09-24 19:27:26
+2  A: 

Tomcat needs to know how to connect to the database, so it needs access to the plain text password. If the password in encrypted, Tomcat needs to know how to decrypt it, so you are only moving the problem somewhere else.

The real problem is: who can access server.xml except for Tomcat? A solution is to give read access to server.xml only to root user, requiring that Tomcat is started with root privileges: if a malicious user gains root privileges on the system, losing a database password is probably a minor concern.

Otherwise you should type the password manually at every startup, but this is seldom a viable option.

gameame  2008-09-26 15:49:07
+4  A: 

As said before encrypting passwords is just moving the problem somewhere else.

Anyway, it's quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat's configuration file (server.xml or yourapp.xml...) using this class.

And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory and use this factory in your resource.

It will look like:

    <Resource
     name="jdbc/myDataSource"
     auth="Container"
     type="javax.sql.DataSource"
     username="user"
     password="encryptedpassword"
     driverClassName="driverClass"
     factory="mypackage.MyCustomBasicDataSourceFactory"
     url="jdbc:blabla://..."/>

And for the custom factory:

package mypackage;

....

public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {

@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
 Object o = super.getObjectInstance(obj, name, nameCtx, environment);
 if (o != null) {
  BasicDataSource ds = (BasicDataSource) o;
  if (ds.getPassword() != null && ds.getPassword().length() > 0) {
   String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
   ds.setPassword(pwd);
  }
  return ds;
 } else {
  return null;
 }
}

Hope this helps.

Jerome Delattre  2008-12-10 11:28:55
A: 

I agree with Jerome Delattre, that a solution. I used that with success. It is the same aproach of : http://java.sys-con.com/node/393364

 2009-08-13 18:16:38

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?