Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I encrypt password in log4j.properties?

Is there any way that i can encrypt password in log4j.properties

following is my appender

log4j.appender.DB=org.apache.log4j.jdbc.JDBCAppender
log4j.appender.DB.URL=jdbc:mysql://localhost:3306/anilpractice
log4j.appender.DB.driver=com.mysql.jdbc.Driver
log4j.appender.DB.user=root
log4j.appender.DB.password=P@ssw0rd
log4j.appender.DB.sql=INSERT INTO logs VALUES('%x','%d{dd MMM yyyy HH:mm:ss}','%C','%p','%m')
log4j.appender.DB.layout=org.apache.log4j.PatternLayout

Please help me out how can i encrypt .password tag?

thank you all.

like image 631
ANILBABU Avatar asked Apr 04 '14 10:04

ANILBABU


People also ask

What is the best way to encrypt passwords in Java?

Password-Based Encryption using Salt and Base64: The password-based encryption technique uses plain text passwords and salt values to generate a hash value. And the hash value is then encoded as a Base64 string. Salt value contains random data generated using an instance of Random class from java. util package.

Which property is used to specify password in properties file?

To use the password properties file, specify the -DpasswordFile parameter when you run the config_ant utility.


2 Answers

Thank God, Finally got some solution to keep encrypted password in Log4j.properties

What all we have to do is,

Replicate JDBCAppender class of log4j.jar.

Modify the definition of

public void setPassword(String password)
  {
          this.databasePassword = password;
  }

in JDBCAppender

according to your need And replace that class in log4j.jar.

like image 179
ANILBABU Avatar answered Sep 28 '22 08:09

ANILBABU


I don't think that is possible. Even if it's possilbe, consider the following:

If you can establish a connection by only providing an "encrypted password", it's like the password is not encrypted, because everyone who copies the encrypted password can connect and compromise your database. The only different is, that the password is presented in a different way and maybe less human readable, but still fully useful. Even if you implement some symetric unencription of the password in your code, if the attacker has access to your configuration file containing the encrypted password, it is very likely that he has also access to your code running on the same machine containing the unencryption algorithm and would be able to decompile and read the algorithm.

Better create a DB-User with restricted access rights to only write into the logging table. In this way a stolen password can't harm your database very much.

like image 44
Simulant Avatar answered Sep 28 '22 08:09

Simulant