You are viewing a plain text version of this content. The canonical link for it is here.
Posted to torque-user@db.apache.org by jill han <jh...@bynum.com> on 2007/05/25 00:00:57 UTC
encrypt database user info in the Torque.properties?
I put database user login data in the Torque.properties as
torque.dsfactory.default.connection.user = username
torque.dsfactory.default.connection.password = userpassword
At first, I think it is quite common practice. Now somebody questioned
it for the security reason, saying
"Storage of user information in plain text will allow the database
to be compromised if web/app server is hacked."
It was suggested to Encrypt the database details in the configuration
file.
Do you think it is a legitimate concern?
Do you encrypt such data in the configuration file?
Your input is appreciated as always.
Jill
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org
Re: encrypt database user info in the Torque.properties?
Posted by Guy Galil <gu...@guardium.com>.
It is definitely a legitimate concern.
At the least the password should not be stored in plain text.
What I do instead of calling Torque.init(<config file>);
is create the import org.apache.commons.configuration.Configuration
object:
Configuration c = new PropertiesConfiguration(configFile);
then manipulate the Configuration object to modify the password in it
and then initialize Torque with the Configuration object.
Cheers Guy
On Thu, 2007-05-24 at 17:00 -0500, jill han wrote:
> I put database user login data in the Torque.properties as
>
> torque.dsfactory.default.connection.user = username
> torque.dsfactory.default.connection.password = userpassword
>
> At first, I think it is quite common practice. Now somebody questioned
> it for the security reason, saying
> "Storage of user information in plain text will allow the database
> to be compromised if web/app server is hacked."
> It was suggested to Encrypt the database details in the configuration
> file.
>
> Do you think it is a legitimate concern?
> Do you encrypt such data in the configuration file?
>
> Your input is appreciated as always.
>
> Jill
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org
Re: encrypt database user info in the Torque.properties?
Posted by Ivor Clarke <ic...@datranmedia.com>.
One other option is that some JDBC drivers such as JTDS allow you to
use Windows Accounts for authentication against the database. Of
course that presumes that you are using Windows and a DB platform
that supports this method of authentication.
-Ivor
On May 24, 2007, at 6:36 PM, Greg Monroe wrote:
> There is no built in support for this.
>
> However, if you need that level of security, you can
> use the Torque.init(Configuration conf) method to initialize
> Torque with a "decrypted" version of your encrypted
> config file.
>
> E.g., make an "EncryptProperties" class that takes a
> plain text config file can encrypts the whole thing.
>
> Then create a matching DecryptReader class that can
> be used to load a PropertiesConfiguration class. E.g.,
>
>
> if ( ! Torque.isInit() ) {
> DecryptReader dReader = new DecryptReader(keys, encryptedFile);
> PropertiesConfiguration conf = new PropertiesConfiguration();
> conf.load(dReader);
> Torque.init(conf);
> }
>
> Of course, if people have access to your compiled classes
> they can probably decompile them and find your key values and
> encryption methods...
>
> > -----Original Message-----
> > From: jill han [mailto:jhan@bynum.com]
> > Sent: Thursday, May 24, 2007 6:01 PM
> > To: Apache Torque Users List
> > Subject: encrypt database user info in the Torque.properties?
> >
> > I put database user login data in the Torque.properties as
> >
> > torque.dsfactory.default.connection.user = username
> > torque.dsfactory.default.connection.password = userpassword
> >
> > At first, I think it is quite common practice. Now somebody
> > questioned it for the security reason, saying "Storage of
> > user information in plain text will allow the database to be
> > compromised if web/app server is hacked."
> > It was suggested to Encrypt the database details in the
> > configuration file.
> >
> > Do you think it is a legitimate concern?
> > Do you encrypt such data in the configuration file?
> >
> > Your input is appreciated as always.
> >
> > Jill
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> > For additional commands, e-mail: torque-user-help@db.apache.org
> >
> >
>
> Duke CE Privacy Statement
> Please be advised that this e-mail and any files transmitted with
> it are confidential communication or may otherwise be privileged or
> confidential and are intended solely for the individual or entity
> to whom they are addressed. If you are not the intended recipient
> you may not rely on the contents of this email or any attachments,
> and we ask that you please not read, copy or retransmit this
> communication, but reply to the sender and destroy the email, its
> contents, and all copies thereof immediately. Any unauthorized
> dissemination, distribution or copying of this communication is
> strictly prohibited.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>
RE: encrypt database user info in the Torque.properties?
Posted by Thomas Fischer <fi...@seitenbau.net>.
One thing to remember is that if the attacker has access to the encrypted
password and to the decryption code, he can decrypt the password himself.
By this I do not want to suggest that encrypting the password makes no
sense (it makes the attack a lot harder), but one needs to remember that
there is no absolutely secure solution for this problem.
Thomas
"Greg Monroe" <Gr...@DukeCE.com> schrieb am 25.05.2007 01:36:54:
> There is no built in support for this.
>
> However, if you need that level of security, you can
> use the Torque.init(Configuration conf) method to initialize
> Torque with a "decrypted" version of your encrypted
> config file.
>
> E.g., make an "EncryptProperties" class that takes a
> plain text config file can encrypts the whole thing.
>
> Then create a matching DecryptReader class that can
> be used to load a PropertiesConfiguration class. E.g.,
>
>
> if ( ! Torque.isInit() ) {
> DecryptReader dReader = new DecryptReader(keys, encryptedFile);
> PropertiesConfiguration conf = new PropertiesConfiguration();
> conf.load(dReader);
> Torque.init(conf);
> }
>
> Of course, if people have access to your compiled classes
> they can probably decompile them and find your key values and
> encryption methods...
>
> > -----Original Message-----
> > From: jill han [mailto:jhan@bynum.com]
> > Sent: Thursday, May 24, 2007 6:01 PM
> > To: Apache Torque Users List
> > Subject: encrypt database user info in the Torque.properties?
> >
> > I put database user login data in the Torque.properties as
> >
> > torque.dsfactory.default.connection.user = username
> > torque.dsfactory.default.connection.password = userpassword
> >
> > At first, I think it is quite common practice. Now somebody
> > questioned it for the security reason, saying "Storage of
> > user information in plain text will allow the database to be
> > compromised if web/app server is hacked."
> > It was suggested to Encrypt the database details in the
> > configuration file.
> >
> > Do you think it is a legitimate concern?
> > Do you encrypt such data in the configuration file?
> >
> > Your input is appreciated as always.
> >
> > Jill
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> > For additional commands, e-mail: torque-user-help@db.apache.org
> >
> >
>
> Duke CE Privacy Statement
> Please be advised that this e-mail and any files transmitted with it are
> confidential communication or may otherwise be privileged or confidential
and
> are intended solely for the individual or entity to whom they are
addressed.
> If you are not the intended recipient you may not rely on the contents of
this
> email or any attachments, and we ask that you please not read, copy or
> retransmit this communication, but reply to the sender and destroy the
email,
> its contents, and all copies thereof immediately. Any unauthorized
> dissemination, distribution or copying of this communication is strictly
prohibited.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org
RE: encrypt database user info in the Torque.properties?
Posted by Greg Monroe <Gr...@DukeCE.com>.
There is no built in support for this.
However, if you need that level of security, you can
use the Torque.init(Configuration conf) method to initialize
Torque with a "decrypted" version of your encrypted
config file.
E.g., make an "EncryptProperties" class that takes a
plain text config file can encrypts the whole thing.
Then create a matching DecryptReader class that can
be used to load a PropertiesConfiguration class. E.g.,
if ( ! Torque.isInit() ) {
DecryptReader dReader = new DecryptReader(keys, encryptedFile);
PropertiesConfiguration conf = new PropertiesConfiguration();
conf.load(dReader);
Torque.init(conf);
}
Of course, if people have access to your compiled classes
they can probably decompile them and find your key values and
encryption methods...
> -----Original Message-----
> From: jill han [mailto:jhan@bynum.com]
> Sent: Thursday, May 24, 2007 6:01 PM
> To: Apache Torque Users List
> Subject: encrypt database user info in the Torque.properties?
>
> I put database user login data in the Torque.properties as
>
> torque.dsfactory.default.connection.user = username
> torque.dsfactory.default.connection.password = userpassword
>
> At first, I think it is quite common practice. Now somebody
> questioned it for the security reason, saying "Storage of
> user information in plain text will allow the database to be
> compromised if web/app server is hacked."
> It was suggested to Encrypt the database details in the
> configuration file.
>
> Do you think it is a legitimate concern?
> Do you encrypt such data in the configuration file?
>
> Your input is appreciated as always.
>
> Jill
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>
>
Duke CE Privacy Statement
Please be advised that this e-mail and any files transmitted with it are confidential communication or may otherwise be privileged or confidential and are intended solely for the individual or entity to whom they are addressed. If you are not the intended recipient you may not rely on the contents of this email or any attachments, and we ask that you please not read, copy or retransmit this communication, but reply to the sender and destroy the email, its contents, and all copies thereof immediately. Any unauthorized dissemination, distribution or copying of this communication is strictly prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org