Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > How to protect MySQL password in servlet query?

Reply
Thread Tools

How to protect MySQL password in servlet query?

 
 
Betty
Guest
Posts: n/a
 
      10-24-2006

I have a servlet which accesses a MySQL database.

What should I do to stop a user from downloading the servlet .class file
and disassembling it to get the password?

The servlet is under WEB-INF, so the user can't just navigate to it, but I
am worrying that if there's a way to use a servlet, then there might be a
way to download it.

I googled around a bit, but can't find any answers to this. Everything
I've seen pertains to applets, not servlets, so maybe there's no worries.



-Betty

 
Reply With Quote
 
 
 
 
Manish Pandit
Guest
Posts: n/a
 
      10-24-2006
Hi Betty,

Here are the 2 ways I can think of that someone can get to the class
file:

1. Write another JSP/servlet that streams that class onto the response.
Since the JSP/Servlet has access to anything under WEB-INF, it can use
the system path and read it out. However, since "someone" will not go
and deploy a component on "your" server, this is more than likely not
an issue. On another note, make sure the manager application is not
exposed or deployed on your production boxes, if you're using tomcat.

2. Someone who has access to the server and the folder WEB-INF, even
read-only, can copy the file over and dis-assemble it to get the
property. To prevent this, make sure the web application folders have
no access (even read) to anyone except the server process and of course
the root.

Given the above scenarios, there is not a whole lot you can do to
prevent the password, other than using deployment platform's security
features to secure the class and the runtime environment.

Hope this helps!

-cheers,
Manish

 
Reply With Quote
 
 
 
 
=?ISO-8859-1?Q?Arne_Vajh=F8j?=
Guest
Posts: n/a
 
      10-24-2006
Betty wrote:
> I have a servlet which accesses a MySQL database.
>
> What should I do to stop a user from downloading the servlet .class file
> and disassembling it to get the password?
>
> The servlet is under WEB-INF, so the user can't just navigate to it, but I
> am worrying that if there's a way to use a servlet, then there might be a
> way to download it.


If they get access to WEB-INF, then it is an indication of a
major security hole in either the server config or your app.

If that is the case then you have huge problems no matter what.

So I think you should stop worrying about that and look
for some of the more realistic threats.

And BTW I think the only good solution to avoid this "problem"
is to ask the users to enter a password.

Arne
 
Reply With Quote
 
traneHead
Guest
Posts: n/a
 
      10-24-2006
Betty skrev:

> I have a servlet which accesses a MySQL database.
>
> What should I do to stop a user from downloading the servlet .class file
> and disassembling it to get the password?
>
> The servlet is under WEB-INF, so the user can't just navigate to it, but I
> am worrying that if there's a way to use a servlet, then there might be a
> way to download it.
>
> I googled around a bit, but can't find any answers to this. Everything
> I've seen pertains to applets, not servlets, so maybe there's no worries.
>
>
>
> -Betty


Apart from the already mentioned, you perhaps should consider setting
up a connection pool and get connections through that using jndi:
No connection strings and passwords in servlet (but that really
shouldn't be a problem, as stated before)
Better scaling - easier to handle server/db resources
Better design (imho) with things more decoupled

Good luck with your work!
/David

 
Reply With Quote
 
Betty
Guest
Posts: n/a
 
      10-24-2006
Thanks everyone for the responses. I feel better about the security of
things now.

I'll check the WEB-INF permissions and take a look at connection pooling
too.


-Betty



"traneHead" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) s.com:

> Betty skrev:
>
>> I have a servlet which accesses a MySQL database.
>>
>> What should I do to stop a user from downloading the servlet .class
>> file and disassembling it to get the password?
>>
>> The servlet is under WEB-INF, so the user can't just navigate to it,
>> but I am worrying that if there's a way to use a servlet, then there
>> might be a way to download it.
>>
>> I googled around a bit, but can't find any answers to this.
>> Everything I've seen pertains to applets, not servlets, so maybe
>> there's no worries.
>>
>>
>>
>> -Betty

>
> Apart from the already mentioned, you perhaps should consider setting
> up a connection pool and get connections through that using jndi:
> No connection strings and passwords in servlet (but that really
> shouldn't be a problem, as stated before)
> Better scaling - easier to handle server/db resources
> Better design (imho) with things more decoupled
>
> Good luck with your work!
> /David
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Change a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 1 01-16-2009 02:56 PM
Changing a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 2 01-16-2009 02:08 PM
Servlet question(Tomcat, web.xml, servlet-class, servlet-name) circuit_breaker Java 2 04-04-2004 03:26 AM
simplest way to password protect website with SQL Server Brent Burkart ASP .Net 5 10-16-2003 05:34 AM



Advertisments