Search code examples
javasecurityderbyjavadb

What is the securest way of accessing a JavaDB/Derby database from a java app?

I'm recently trying to make a secure way of accessing a embbeded database without revealing the user and password to someone that knows how to read the .class files. I know almost nothing about security, so any help, tip, recommendation would be useful.

PD: I don't have any other security configuration, so if you have more tips about security I would also be thankful.

  public void initializeDatabase() {
    System.setProperty("derby.system.home", ".\\Data");

    final String userAndPassword = "user=userName;password=strongPassword";
    final String databaseURL = "jdbc:derby:directory:MyDerbyDB;" + userAndPassword;

    // Opens the database connection.
    try (Connection connection1 = DriverManager.getConnection(databaseURL)) {
    } catch (SQLException exception1) {
      if (exception1.getSQLState().equals("XJ004")) { // Database not found.
        // Creates the database if it doesn't exist.
        try (Connection connection2 = DriverManager.getConnection(databaseURL + ";create=true")) {
        } catch (SQLException exception2) {
          Logger.getLogger(ElVecino.class.getName()).log(Level.SEVERE, null, exception2);
          System.exit(1);
        }
        // Create and initialize the database's tables.
        EntityManagerFactory emf = Persistence.createEntityManagerFactory("ElVecinoPU");
        EntityManager em = emf.createEntityManager();
        EntityTransaction et = em.getTransaction();
        try {
          et.begin();
          em.persist(new Category("A random category 1"));
          em.persist(new Category("A random category 2"));
          et.commit();
        } catch (IllegalStateException e) {
        } catch (EntityExistsException e) {
        } catch (TransactionRequiredException e) {
        } catch (RollbackException e) {
          et.rollback();
        }
        em.close();
        emf.close();
      } else {
        Logger.getLogger(ElVecino.class.getName()).log(Level.SEVERE, null, exception1);
        System.exit(1);
      }
    }

    // Closes the database connection.
    try {
      DriverManager.getConnection(databaseURL + ";shutdown=true");
      //DriverManager.getConnection("jdbc:derby:;" + userAndPassword + ";shutdown=true");
    } catch (SQLException exception) {
      switch (exception.getSQLState()) {
        case "08006": // Database shutdown.
        case "XJ015": // Derby system shutdown.
          break;
        default:
          Logger.getLogger(ElVecino.class.getName()).log(Level.SEVERE, null, exception);
          System.exit(1);
      }
    }
  }
Solution

  • I wouldn't store credentials in source code at all. Rather, retrieve them from external directory via JNDI

    https://db.apache.org/derby/docs/10.3/devguide/cdevcsecure38522.html