findbugs and database password security issue

Question

I'm using the following code to initialize database connection:

 public Connection getConnection() {
        try {
            if (null == connection) {
                String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver
                Class.forName(driverName);

                // Create a connection to the database
                String serverName = "localhost";
                String database = "database";
                String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
                String username = "username";
                String password = "password";
                connection = DriverManager.getConnection(url, username, password);
            }
            return connection;
        } catch (ClassNotFoundException cnfe) {
            cnfe.printStackTrace();
        } catch (SQLException sqle) {
            sqle.printStackTrace();
        }
        throw new NullPointerException("Cannot establish database connection...");
    }

and I know it's bad practice to do it, also I ran FindBugs against the code, and got the security issue saying the following: This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

What's the best way to initialize database connection without having this security breach?

Answer 1

Read the password from a properties file or LDAP or similar and secure access to those to only the account used to run the software (which none of the developers should have access to).

Answer 2

Use simple files to store the database properties and read them in the code instead of hardcoding. Not only is this clean but you can also restrict file access.

This link may help you.

Answer 3

You can store the password in a config file and then encrypt the file/sections of the file using DPAPI if you are using Windows box. This way, you won't have to worry about key management too.

Answer 4

This code creates a database connect using a hardcoded, constant password. .

That security issue arise because, you've used the DB name, username and password. But surely you can't resolve the issue "Anyone with access to either the source code or the compiled code can easily learn the password". I bet U can resolve the first issue.

You can use Properties to include your DB uesrname and password with which you could encode into the Properties object using setproperty() method.

Now you can include the property object into the getConnection() method :

conn = DriverManager(url, properyObject);

Answer 5

The vast majority of Web Applications use a hard-coded username/password for their SQL connection. This is not a violation of the OWASP top 10 or any CWE that I know of. There for this is not a vulnerability.

This could be a vulnerability if you store the information in a .xml file that can be accessed remotly: http://localhost/configs/db_config.xml.

It is common practice to disallow access to your database (block tcp port 3306 for mysql). In fact this is a requirement of the PCI-DSS. Even if the username and password where to be obtained, it would be useless.