代码之家 › 专栏 › 技术社区 › mabuzer

findbugs and database password security issue

findbugs security java

8

mabuzer · 技术社区 · 14 年前

I'm using the following code to initialize database connection:


 public Connection getConnection() {
        try {
            if (null == connection) {
                String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver
                Class.forName(driverName);

                // Create a connection to the database
                String serverName = "localhost";
                String database = "database";
                String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
                String username = "username";
                String password = "password";
                connection = DriverManager.getConnection(url, username, password);
            }
            return connection;
        } catch (ClassNotFoundException cnfe) {
            cnfe.printStackTrace();
        } catch (SQLException sqle) {
            sqle.printStackTrace();
        }
        throw new NullPointerException("Cannot establish database connection...");
    }

and I know it's bad practice to do it, also I ran FindBugs against the code, and got the security issue saying the following: This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

What's the best way to initialize database connection without having this security breach?

5 回复 | 直到 14 年前

1

2

rook 7 年前

The vast majority of Web Applications use a hard-coded username/password for their SQL connection. Checking production credentials into source control, or giving interns the ability to delete the production database is generally frowned upon. Production credentials should be protected, and only privileged employees should have access to them.

It is common for web applications to leak their configuration files. For example if a .xml file is stored in the webroot then it can be accessed remotely: http://localhost/configs/db_config.xml .

It is common practice to disallow access to your database (block tcp port 3306 for mysql). In fact this is a requirement of the PCI-DSS. Even if the username and password where to be obtained, it would be useless.

2

3

dty 14 年前

Read the password from a properties file or LDAP or similar and secure access to those to only the account used to run the software (which none of the developers should have access to).

3

bragboy 14 年前

Use simple files to store the database properties and read them in the code instead of hardcoding. Not only is this clean but you can also restrict file access.

这个 link 也许会帮助你。

4

2

Venkat 14 年前

This code creates a database connect using a hardcoded, constant password. .

That security issue arise because, you've used the DB name, username and password. But surely you can't resolve the issue " Anyone with access to either the source code or the compiled code can easily learn the password “。I bet U can resolve the first issue.

You can use Properties to include your DB uesrname and password with which you could encode into the Properties object using 设置属性() 方法。

Now you can include the property object into the GET连接() 方法:

conn = DriverManager(url, properyObject);

5

0

gauravphoenix 14 年前

You can store the password in a config file and then encrypt the file/sections of the file using DPAPI if you are using Windows box. This way, you won't have to worry about key management too.