How to protect MySQL password in servlet query?

Discussion in 'Java' started by Betty, Oct 24, 2006.

  1. Betty

    Betty Guest

    I have a servlet which accesses a MySQL database.

    What should I do to stop a user from downloading the servlet .class file
    and disassembling it to get the password?

    The servlet is under WEB-INF, so the user can't just navigate to it, but I
    am worrying that if there's a way to use a servlet, then there might be a
    way to download it.

    I googled around a bit, but can't find any answers to this. Everything
    I've seen pertains to applets, not servlets, so maybe there's no worries.



    -Betty
     
    Betty, Oct 24, 2006
    #1
    1. Advertising

  2. Hi Betty,

    Here are the 2 ways I can think of that someone can get to the class
    file:

    1. Write another JSP/servlet that streams that class onto the response.
    Since the JSP/Servlet has access to anything under WEB-INF, it can use
    the system path and read it out. However, since "someone" will not go
    and deploy a component on "your" server, this is more than likely not
    an issue. On another note, make sure the manager application is not
    exposed or deployed on your production boxes, if you're using tomcat.

    2. Someone who has access to the server and the folder WEB-INF, even
    read-only, can copy the file over and dis-assemble it to get the
    property. To prevent this, make sure the web application folders have
    no access (even read) to anyone except the server process and of course
    the root.

    Given the above scenarios, there is not a whole lot you can do to
    prevent the password, other than using deployment platform's security
    features to secure the class and the runtime environment.

    Hope this helps!

    -cheers,
    Manish
     
    Manish Pandit, Oct 24, 2006
    #2
    1. Advertising

  3. Betty wrote:
    > I have a servlet which accesses a MySQL database.
    >
    > What should I do to stop a user from downloading the servlet .class file
    > and disassembling it to get the password?
    >
    > The servlet is under WEB-INF, so the user can't just navigate to it, but I
    > am worrying that if there's a way to use a servlet, then there might be a
    > way to download it.


    If they get access to WEB-INF, then it is an indication of a
    major security hole in either the server config or your app.

    If that is the case then you have huge problems no matter what.

    So I think you should stop worrying about that and look
    for some of the more realistic threats.

    And BTW I think the only good solution to avoid this "problem"
    is to ask the users to enter a password.

    Arne
     
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=, Oct 24, 2006
    #3
  4. Betty

    traneHead Guest

    Betty skrev:

    > I have a servlet which accesses a MySQL database.
    >
    > What should I do to stop a user from downloading the servlet .class file
    > and disassembling it to get the password?
    >
    > The servlet is under WEB-INF, so the user can't just navigate to it, but I
    > am worrying that if there's a way to use a servlet, then there might be a
    > way to download it.
    >
    > I googled around a bit, but can't find any answers to this. Everything
    > I've seen pertains to applets, not servlets, so maybe there's no worries.
    >
    >
    >
    > -Betty


    Apart from the already mentioned, you perhaps should consider setting
    up a connection pool and get connections through that using jndi:
    No connection strings and passwords in servlet (but that really
    shouldn't be a problem, as stated before)
    Better scaling - easier to handle server/db resources
    Better design (imho) with things more decoupled

    Good luck with your work!
    /David
     
    traneHead, Oct 24, 2006
    #4
  5. Betty

    Betty Guest

    Thanks everyone for the responses. I feel better about the security of
    things now.

    I'll check the WEB-INF permissions and take a look at connection pooling
    too.


    -Betty



    "traneHead" <> wrote in
    news::

    > Betty skrev:
    >
    >> I have a servlet which accesses a MySQL database.
    >>
    >> What should I do to stop a user from downloading the servlet .class
    >> file and disassembling it to get the password?
    >>
    >> The servlet is under WEB-INF, so the user can't just navigate to it,
    >> but I am worrying that if there's a way to use a servlet, then there
    >> might be a way to download it.
    >>
    >> I googled around a bit, but can't find any answers to this.
    >> Everything I've seen pertains to applets, not servlets, so maybe
    >> there's no worries.
    >>
    >>
    >>
    >> -Betty

    >
    > Apart from the already mentioned, you perhaps should consider setting
    > up a connection pool and get connections through that using jndi:
    > No connection strings and passwords in servlet (but that really
    > shouldn't be a problem, as stated before)
    > Better scaling - easier to handle server/db resources
    > Better design (imho) with things more decoupled
    >
    > Good luck with your work!
    > /David
    >
     
    Betty, Oct 24, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brent Burkart
    Replies:
    5
    Views:
    792
    Jerry III
    Oct 16, 2003
  2. circuit_breaker
    Replies:
    2
    Views:
    2,019
    Jack Jia
    Apr 4, 2004
  3. AAaron123
    Replies:
    2
    Views:
    2,201
    AAaron123
    Jan 16, 2009
  4. AAaron123
    Replies:
    1
    Views:
    1,356
    Oriane
    Jan 16, 2009
  5. Love4llamas
    Replies:
    0
    Views:
    809
    Love4llamas
    Oct 13, 2011
Loading...

Share This Page