I have a Database Connection class which accesses the database credentials from a property file located at src/main/resources.
**DBconfig.properties** (property file)
DB.url=jdbc:mysql://localhost:3306/studentdb
DB.username=root
DB.password=root
My Connection class goes like this (located at src/main/java),
public class DBconnect {
private static String resources="DBconfig.properties";
private static Connection con = null;
private static String url = null;
private static String username = null;
private static String password = null;
public static void main(String[] args) {
ClassLoader loader = Thread.currentThread().getContextClassLoader();
Properties prop = new Properties();
try {
InputStream rs = loader.getResourceAsStream(resources);
prop.load(rs);
url = prop.getProperty("DB.url");
username = prop.getProperty("DB.username");
password = prop.getProperty("DB.password");
Class.forName("com.mysql.jdbc.Driver");
con = DriverManager.getConnection(url,username,password);
System.out.println("Database is Connected");
} catch (Exception e) {
System.out.println("Database is Not Connected");
e.printStackTrace();
}
}
}
My problem is my credentials are available in the property file in clear text, am i securing my credentials properly ? is it secure in the way i have implemented it already? is there anything i need to do to make it better ?,this is a Spring MVC application using weblogic app server. thanks
You can use Jasypt, that'll allow you to store them in properties file but in encrypted form.
Although they are stored encrypted you could probably gain access to them if you mess up with RAM (because connection string is gonna be stored in RAM at some point). More secure way of protecting yourself is using Roles, Procedures and Views in the Database.
For example: Don't allow that user to create new tables, select what he wants, allow him to retrieve just some view, if you wanna check login credentials do that using procedure...
And finally, the safest option is to use server and go through server for everything.