The standard data source configuration in JBoss requires the username and password of the database user to be in the xxx-ds.xml file. If I define my data source as a c3p0 mbean I encounter the same issue.
Is there a standard way to have the user and password encrypted? What is a good place to save the key?
This of course relevant to tomcat too - context.xml files, spring configuration files, etc.
There is a wiki document out there: http://www.jboss.org/community/docs/DOC-9703 that describes this.
for the spring part, you can use your own extension of spring's PropertyPlaceholderConfigurer with the String convertPropertyValue(String originalValue) overridden. As the javadoc for the method mentions it (actually in superclass PropertyResourceConfigurer):
Convert the given property value from the properties source to the value that should be applied.
The default implementation simply returns the original value. Can be overridden in subclasses, for example to detect encrypted values and decrypt them accordingly.
This means you can configure your datasource with ${encoded.value} in the spring xml file, and decode the value before injecting the decoded value into the datasource.