Hi,
I am wondering, where do we store database config in standalone app.The client is connected to database directly (I know it's not a good idea, but I am not allowed to create a server or open new port for RMI)
I certainly don't want user open up Hibernate config xml file and get all the details (database username & password etc).
If your client app is going to need the details in the end they will always be accessible to the user in some way or another. The best you can do here is obfuscation of the details. You could just base64 encode them and store them in a properties file (not hibernate.properties), then load them in yourself before obtaining a session factory. To load configuration properties you can use the Configuration class.
If you're looking to foil the slightly more knowledgeable client you could also encrypt them and store the key as a static field in your code. This doesn't make it secure but it's possible your clients aren't adept enough to decompile the source and see for themselves how you're decrypting these things.
Remember to shore up security on the server side. (make sure that DB account has minimal privileges!) Also, disallowing remote services but allowing direct access to the DB doesn't seem like a very sensible policy to me.
Hopefully, you've got a directory server (any J2EE app-server will do) then pop a data source up there and use Spring's jndi-lookup to retrieve it.
Failing that like @wds says, it's encrypted credentials or prompting even, creating restricted accounts for each user in the database.
I don't have such a problem with client-side DB access - it's worked fine for years before SOA came along - just make sure the user accounts only have limited permissions - select access only for tables or even perform all look-ups through views (again with the necessary permissions) and execute on the required procs.