What is the proper way of handling configurations (database login and passwords, etc.) in a dynamic web project?

Question

I just got my hands on doing dynamic web programming using JSP. What is the proper way to handle the configurations?

For example, database name, host, login, and password, and indexing directory in the server, etc. My concern is mostly about the security of the passwords. Currently I hard code the data into the .java files, I don't think this is the right way to do so I would like to learn from your experiences.

Answer 1

Configuration is usually stored in a properties or XML file which is been placed in the application's runtime classpath or at a fixed location which is specified as a VM argument. A properties file can be accessed using java.util.Properties API. A XML file can be parsed using JAXP or JAXB.

Here's an example of such a properties file:

jdbc.url = jdbc:mysql://localhost:3306/javabase
jdbc.driver = com.mysql.jdbc.Driver
jdbc.username = java
jdbc.password = d$7hF_r!9Y

Assuming that it's named config.properties and it's been placed in the root of the classpath (or its root path is been added to the classpath), here's how you could load it from the classpath:

Properties properties = new Properties();
properties.load(Thread.currentThread().getContextClassLoader().getResourceAsStream("config.properties"));
String url = properties.getProperty("jdbc.url");
String driver = properties.getProperty("jdbc.driver");
String username = properties.getProperty("jdbc.username");
String password = properties.getProperty("jdbc.password");
// ...

Here's an example of a XML file:

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <jdbc>
        <url>jdbc:mysql://localhost:3306/javabase</url>
        <driver>com.mysql.jdbc.Driver</driver>
        <username>java</username>
        <password>d$7hF_r!9Y</password>
    </jdbc>
</config>

Assuming that it's called config.xml and it's been placed in the root of the classpath, here's an example how you could load it by JAXP:

InputStream input = Thread.currentThread().getContextClassLoader().getResourceAsStream("config.xml");
Document document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new InputSource(input));
XPath xpath = XPathFactory.newInstance().newXPath();
String url = (String) xpath.compile("//config//jdbc//url").evaluate(document, XPathConstants.STRING);
String driver = (String) xpath.compile("//config//jdbc//driver").evaluate(document, XPathConstants.STRING);
String username = (String) xpath.compile("//config//jdbc//username").evaluate(document, XPathConstants.STRING);
String password = (String) xpath.compile("//config//jdbc//password").evaluate(document, XPathConstants.STRING);
// ...

It's only a bit more verbose although JAXB can make life easier if it's a rather complex file.

Securing the access to properties or XML files in turn is to be controlled at higher (OS/platform) level.

See also:

• Properties tutorial