Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / June 2004

Tip: Looking for answers? Try searching our database.

password safety in servlets

Thread view: 
Enable EMail AlertsStart New Thread
yeah@nothanks.com - 28 May 2004 18:13 GMT
Just getting started on servlets/jsp. I'm wondering about password
security a scenario like this:

basic setup
-----------------------
- servlet/jsp interface with data in a database (mysql)
- access is defined in mysql
- there's a database MyApp
- an 'NewUserAdmin' login capable of granting appropriate access for a
new user

scenario
----------------------
User visits site and submits request for a new account

problem
----------------------
If I make a db connection from a servlet class and it has the
NewUserAdmin password passed as a string, doesn't that expose it to
someone who just downloads the servlet class and does "javap -c" on
it?

I scanned through the java web services tutorial but didn't find (yet)
a discussion of something like this.

Thanks for any direction.
Reply to this Message
Oscar kind - 28 May 2004 20:48 GMT
> If I make a db connection from a servlet class and it has the
> NewUserAdmin password passed as a string, doesn't that expose it to
> someone who just downloads the servlet class and does "javap -c" on
> it?

Yes, but the servlet class shouldn't be downloadable in the first place.
AFAIK, all application servers provide this protection; you'd have to
explicitely have to make your servlet class available for download.

On a related note, an attacker could also sniff the traffic between your
servlet and the database. Thios is the reason that the application server
and the database are generally found behind a firewall. For added
security, a proxy in a DMZ accepts requests from the internet and relays
them to the application server.

Oscar

Signature

Oscar Kind                                    http://home.hccnet.nl/okind/
Software Developer                    for contact information, see website

PGP Key fingerprint:    91F3 6C72 F465 5E98 C246  61D9 2C32 8E24 097B B4E2

Reply to this Message
nobody - 01 Jun 2004 02:43 GMT
>>If I make a db connection from a servlet class and it has the
>>NewUserAdmin password passed as a string, doesn't that expose it to
[quoted text clipped - 12 lines]
>
> Oscar

Also, you would typically specify the database credentials in a
deployment descriptor/container configuration rather than in the servlet
itself.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.