Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure JDBC connection

I have a plain Java application which is supposed to connect to the database. I don't want to store database connection url and username/password in a properties file or hardcode it in application. What is a common way to solve this problem? How a Java application can connect to database without revealing username/password?

like image 691
Alex Avatar asked Mar 18 '09 02:03

Alex


People also ask

What is secure JDBC?

JDBC is a database connection protocol, it's as secure as all other means to connect to database. Most secure issues have nothing to do with JDBC protocol itself. For example, you can minimize the risk of SQL Injection by using Prepared Statement.

Can JDBC connection be encrypted?

Encryption of JDBC connection is managed by parameters passed to the third party JDBC client jars that are supplied by the JDBC provider. You can use the IBM® Integration Bus JDBCProviders configurable service or a vendor-specific configuration file to pass the parameters.

Does JDBC driver use SSL?

You can configure database connections for the HCL OneDB™ JDBC Driver to use the Secure Sockets Layer (SSL) protocol.

Can JDBC use TLS?

2 and later, FairCom DB SQL JDBC supports TLS connections per the JDBC standard. Enable TLS in a JDBC connection URL using the ssl=value parameter string. TLS connections are enabled in the JDBC connection URL using the new format (it is not supported on the old URL format) and a new parameter ssl.


1 Answers

I'm a .NET dev, but I've run into the exact same situation.

Last year I was working at a company that had to be PCI compliant to store credit card data, so security was a big deal. The URL/login data has to exist somewhere. The most common method I've seen for securing it is with encryption. I don't know about Java in particular, but .NET has several encryption namespaces in the core Framework. We used these to encrypt the database logins.

You still have a potential security vulnerability, which are the encryption keys used to encrypt/decrypt the data. We used the PCI "compensating controls" method here. Access to the keys is restricted to "key management" role. We also tracked access of the key itself so that there was a record of all user-initiated and system-initiated access. No one user had access to these logs, so there could be no covering of tracks by a single user. These overlapping security methods essentially create a situation where nothing less than a coordiated conspiracy between multiple administrators is required to put the data in jeopardy.

like image 169
Dave Swersky Avatar answered Sep 20 '22 01:09

Dave Swersky