Can I set the password of a JDBC connection from the Connection Pool? (Tomcat 5.5.17)

Question

Hi,

I have a connection pool set in the tomcat server context.xml (connection used by several webapps so seems the best place for it).

However, I don't like having passwords hard-coded in the file. Is there any way for me to retrieve the password from elsewhere (secure password store) and set it pragmatically at the time the pooled connections are established?

Thank you

Ryan

Answer 1

You might want to implement a single sign-on for your web application (e.g. using JOSSO). Note that it might be a significant overhead for a small project, but this should solve your problem. Apart from this solution, there are vendor specific applications like Secure External Password Store from Oracle. Another platform dependent example: you can configure PostgreSQL pg_hba.conf. Try the following authentication options:

• Authenticate using SSL client certificates.
• Authenticate using the Pluggable Authentication Modules (PAM) service provided by the operating system.
• Authenticate using an LDAP server.
• ... and many others

Edit: In one of the projects we used 3DES to encrypt the password. And yes, the key was hardcoded in application :)

Answer 2

I believe you are looking for Custom Resource Factory, you can code your factory to create javax.sql.DataSource object or a DBCP (or such) based connection pooling facade object, and have your custom code for getting and setting the username/password for the connection.

Do note that if you're looking for extra security -- the pragmatic way would be to use filesystem security for securing your context.xml file, as adding extra layers (such as your custom implementation for the resource factory), won't make the system more secure, as you still need the password for the secure password store configured somewhere -- you'll end up getting the chicken or the egg problem.