Some clarifications, there's no username/pass in the providers.config only in the sqlMap.config
You must put the login/pass in the connectionsString of the dataSource element <dataSource connectionString="..." .../ > but if it is left empty, it's not a problem as you can assign the connectionSting of the datasource via the code as in just after the call to sqlMap = SqlMapper.Configure() you can access the connection string property by sqlMap.DataSource.ConnectionString, you can fill it at this time. -Cheers Gilles ----- Original Message ----- From: "Pablo Lopez" <[EMAIL PROTECTED]> To: <ibatis-user-cs@incubator.apache.org> Sent: Wednesday, January 12, 2005 1:49 PM Subject: plaintext passwords and exposed sql in configuration files > Hi everybody, > > I'm new in using iBatis and I've managed to make it up and running, > providing excellent features. > > But there's one problem that I've come across: the username and password > used for the connection with the database are stored in plaintext, > either in the sqlmap.config or in the providers.config files, as also > all the SQL is in the datamaps. > > So, even if my application is quite secure, if the username, password > and the SQL sentences in the datamaps are exposed, not only everyone can > connect to the database, but he also knows the methods we use to access > it, so my application security becomes useless. > > Is there any known solution for that? Or doesn't iBatis cover that > problem and I must use the operating system features (for example file > read permissions) to overcome that problem? > > People at my company are quite reluctant to use iBatis because of those > two problems (username, password and SQL exposed in files) but I really > want to give iBatis a try, so any kind of information in solving these > issues would help a lot. > > I suppose I'm not the first one in having this issue, but I've searched > google, iBatis documentation, etc... and found nothing about it (and the > "archives" feature of this mailinglist > (http://nagoya.apache.org/eyebrowse/[EMAIL PROTECTED] cubator.apache.org) > does not seem to work. > > Thanks a lot, > > Pablo. >
