tags:

views:

53

answers:

1
+4  Q: 

What is the proper way of handling configurations (database login and passwords, etc.) in a dynamic web project?

I just got my hands on doing dynamic web programming using JSP. What is the proper way to handle the configurations?

For example, database name, host, login, and password, and indexing directory in the server, etc. My concern is mostly about the security of the passwords. Currently I hard code the data into the .java files, I don't think this is the right way to do so I would like to learn from your experiences.

+3  A: 

Configuration is usually stored in a properties or XML file which is been placed in the application's runtime classpath. A properties file can be accessed using java.util.Properties API. A XML file can be parsed using JAXP.

Here's an example of such a properties file:

jdbc.url = jdbc:mysql://localhost:3306/javabase
jdbc.driver = com.mysql.jdbc.Driver
jdbc.username = java
jdbc.password = d$7hF_r!9Y

Assuming that it's named config.properties and it's been placed in the root of the classpath (or its root path is been added to the classpath), here's how you could load it from the classpath:

Properties properties = new Properties();
properties.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("config.properties"));
String url = properties.getProperty("jdbc.url");
String driver = properties.getProperty("jdbc.driver");
String username = properties.getProperty("jdbc.username");
String password = properties.getProperty("jdbc.password");
// ...

Here's an example of a XML file:

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <jdbc>
        <url>jdbc:mysql://localhost:3306/javabase</url>
        <driver>com.mysql.jdbc.Driver</driver>
        <username>java</username>
        <password>d$7hF_r!9Y</password>
    </jdbc>
</config>

Assuming that it's called config.xml and it's been placed in the root of the classpath, here's an example how you could load it:

InputStream input = Thread.currentThread().getContextClassLoader().getResourceAsStream("config.xml");
Document document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(input));
XPath xpath = XPathFactory.newInstance().newXPath();
String url = (String) xpath.compile("//config//jdbc//url").evaluate(document, XPathConstants.STRING);
String driver = (String) xpath.compile("//config//jdbc//driver").evaluate(document, XPathConstants.STRING);
String username = (String) xpath.compile("//config//jdbc//username").evaluate(document, XPathConstants.STRING);
String password = (String) xpath.compile("//config//jdbc//password").evaluate(document, XPathConstants.STRING);
// ...

It's only a bit more verbose.

Securing the access to properties or XML files in turn is to be controlled at higher (OS/platform) level.

See also:

BalusC  2010-06-28 17:36:53
Thank you very much for the comprehensive solution.
Kenneth  2010-06-29 01:32:32

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords