-----------------------------
Please read the FAQ!
<http://java.apache.org/faq/>
-----------------------------
How do you decrypt the password? If you use a key to decrypt, where do you
store the key?
One of the problems we have had with this is if someone is smart enough to
break into our server and get access to the property file, then they can
probably get the .class file that is used to decrypt the property text and
reverse engineer it to get either hard coded keys or the actual decryption
algorithm we use.
We have decided that if someone is good enough to break into our server and
gain access to the property and class files then we can't really protect
ourselves from that person. We encrypt the password as you do, but we do it
just to prevent someone from being able to look over our shoulder as we edit
a property file and seeing the password in clear text.
I am sure there are better ways of doing this, and I am most interested in
hearing from others.
>-----Original Message-----
>From: Chris McCarthy [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, September 01, 1999 10:12 AM
>To: Java Apache Users
>Subject: Re: Security
>
>
>-----------------------------
>Please read the FAQ!
><http://java.apache.org/faq/>
>-----------------------------
>
>I store it as an encrypted String in a .properties file and
>retrieve it via
>Properties.getProperty().
>I believe it's best not to store it as clear text anywhere on
>the server in case
>anyone manages to get remote access to the server.
>
>Frank Morton wrote:
>
>> -----------------------------
>> Please read the FAQ!
>> <http://java.apache.org/faq/>
>> -----------------------------
>>
>> > I am using servlets / JDBC. It has been suggested that the
>best thing to
>> do
>> > with the DB password is to stick it into an "Environment
>variable" on the
>> > web server and get it via a "getProperty()" call from
>within the servlet.
>> > (This is opposed to having it "hard coded" into a class
>file which is what
>> > I currently do).
>> >
>> > Does anybody have any comments on the relative security of
>both methods?
>> Or
>> > is there a better way which I have not heard about?
>>
>> My only comment is that this is how I am doing it all the time and I
>> am uncomfortable with it. I'd like also to hear of alternatives other
>> have come up with.
>>
>> --
>> --------------------------------------------------------------
>> Please read the FAQ! <http://java.apache.org/faq/>
>> To subscribe: [EMAIL PROTECTED]
>> To unsubscribe: [EMAIL PROTECTED]
>> Archives and Other: <http://java.apache.org/main/mail.html>
>> Problems?: [EMAIL PROTECTED]
>
>
>
>--
>--------------------------------------------------------------
>Please read the FAQ! <http://java.apache.org/faq/>
>To subscribe: [EMAIL PROTECTED]
>To unsubscribe: [EMAIL PROTECTED]
>Archives and Other: <http://java.apache.org/main/mail.html>
>Problems?: [EMAIL PROTECTED]
>
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
