Moving passwords out of war

Question

We have a web application that runs on tomcat that has hardcoded passwords inside some of the .java files. Our security folks are none too pleased and they asked we move the files externally.

My assumption was that the best way to do this was to put a properties file inside of the tomcat /conf directory perhaps? Or maybe setting up some sort of JDNI property in one of the config files?

Is there an generally acceptable way this should be done?

I see this post has some answers for non tomcat: What is the best way to keep passwords configurable, without having them too easily available to the casual human reader?

To get more specific we have application managed database connections and i wanted to grab the credentials. I'm assuming i need to some how put them into a JNDI resource and then query that resource for the username/ password?

Answer 1

A fairly easy solution would be simply externalizing the credentials from your app by:

• creating a JNDI entry in the appserver config
• restricting the access to this file (only those who are doing the relase should have access to it)
• have the application use the JNDI resource to get connections

This way developers (or anybody with access to sourcecode) will not know the passwords. If you want an even more secure approach, you also need encode the password instead of storing it as cleartext. This obviously requires extra effort, so you need to decide whether if it is worth doing or not.

Answer 2

I suggest this cases:

• If the credentials are from a database I suggest you can use a JNDI alias and the JNDI will be configure at the application server.

• If the credentials are from another use you need to encrypt and setup then at a properties file: the server who resolves the credentials will need to have the algoritm.

• In any another case the user will need to enter the credentials in real time.