How to protect MySQL password in servlet query?

[Betty]

I have a servlet which accesses a MySQL database.

What should I do to stop a user from downloading the servlet .class file
and disassembling it to get the password?

The servlet is under WEB-INF, so the user can't just navigate to it, but I
am worrying that if there's a way to use a servlet, then there might be a
way to download it.

I googled around a bit, but can't find any answers to this. Everything
I've seen pertains to applets, not servlets, so maybe there's no worries.



-Betty

 

[Manish Pandit]

Hi Betty,

Here are the 2 ways I can think of that someone can get to the class
file:

1. Write another JSP/servlet that streams that class onto the response.
Since the JSP/Servlet has access to anything under WEB-INF, it can use
the system path and read it out. However, since "someone" will not go
and deploy a component on "your" server, this is more than likely not
an issue. On another note, make sure the manager application is not
exposed or deployed on your production boxes, if you're using tomcat.

2. Someone who has access to the server and the folder WEB-INF, even
read-only, can copy the file over and dis-assemble it to get the
property. To prevent this, make sure the web application folders have
no access (even read) to anyone except the server process and of course
the root.

Given the above scenarios, there is not a whole lot you can do to
prevent the password, other than using deployment platform's security
features to secure the class and the runtime environment.

Hope this helps!

-cheers,
Manish

 

[=?ISO-8859-1?Q?Arne_Vajh=F8j?=]

I have a servlet which accesses a MySQL database.

What should I do to stop a user from downloading the servlet .class file
and disassembling it to get the password?

The servlet is under WEB-INF, so the user can't just navigate to it, but I
am worrying that if there's a way to use a servlet, then there might be a
way to download it.

If they get access to WEB-INF, then it is an indication of a
major security hole in either the server config or your app.

If that is the case then you have huge problems no matter what.

So I think you should stop worrying about that and look
for some of the more realistic threats.

And BTW I think the only good solution to avoid this "problem"
is to ask the users to enter a password.

Arne

 

[traneHead]

Betty skrev:

I have a servlet which accesses a MySQL database.

What should I do to stop a user from downloading the servlet .class file
and disassembling it to get the password?

The servlet is under WEB-INF, so the user can't just navigate to it, but I
am worrying that if there's a way to use a servlet, then there might be a
way to download it.

I googled around a bit, but can't find any answers to this. Everything
I've seen pertains to applets, not servlets, so maybe there's no worries.



-Betty

Apart from the already mentioned, you perhaps should consider setting
up a connection pool and get connections through that using jndi:
No connection strings and passwords in servlet (but that really
shouldn't be a problem, as stated before)
Better scaling - easier to handle server/db resources
Better design (imho) with things more decoupled

Good luck with your work!
/David

 

[Betty]

Thanks everyone for the responses. I feel better about the security of
things now.

I'll check the WEB-INF permissions and take a look at connection pooling
too.


-Betty