JAVA how to store mysql login details

Question

Environment

I have a java application that is going to need access to a mysql database to load and save data and the load/save cannot occur by writing to disk, so it has to be through the database.

I was reading about JNDI but I'm not sure that will help because every example I've seen has been for a java servlet and my goal is to use it in a java standalone application.

Questions

What is the best way to store the mysql username and password so that all clients can access the database but still protecting the login information so that my program is not decompiled and someone uses the mysql login to drop my all my tables?
What would you guys recommend? I'd like this to be secure as possible and I'm open to any suggestions.
Only a handful of statements will be executed on the database and those are hard coded strings that are used in prepared statements so I think that is secure or no?
But my main issue is protecting the database login information.

@AnoopLL then someone uses a Java decompiler and get the connection string with all credentials? No way. — randrade86, Jan 07 '16 at 15:20
store user information in the database. have your own db info saved in xml. on login check it compare to the user to the db for grant access — logger, Jan 07 '16 at 15:22

score 0 · Answer 1 · answered Jan 07 '16 at 15:29

0

You have several options:

use credentials with the minimum possible permissions. That means this user will be able to INSERT but not DROP or DELETE
separate the program and the code that writes to the database by creating a webservice (or other remoting techniques)
use only PROCEDUREs and FUNCTIONs to contact the database and grant only them to the user. By doing this you will have a login to the database that is not allowed to do anything except calling procedures and functions.

answered Jan 07 '16 at 15:29

Marged

10,577
10
57
99

I like the first option that seems super easy and slightly secure but still I'd have a database full of garbage data if someone decided to flood it and could possibly result in a denial of service even. What should I look up to get more information on the remoting techniques you talked about? – Mkey Jan 07 '16 at 15:57
@Mkey the remoting will not save you from dos attacks either. Either protect your Webservice with per app credentials or implement sanity checks for the incoming data – Marged Jan 07 '16 at 16:03
What do you mean by per app credentials? My idea was to have a .xml file with the login details that is stored so the outside world cannot view it, but then how could I make my application be able to get the login details from it? – Mkey Jan 07 '16 at 16:07
@Mkey I meant that users of your app could each get their own credentials to authenticate with your webservice – Marged Jan 07 '16 at 16:13

score 0 · Answer 2 · edited May 23 '17 at 11:51

0

Complementing the options that @Marged provided you could also encrypt and store the credentials in your code. See encrypt + decrypt examples here Encrypt and decrypt a String in java. This will hide the credentials from any decompiler.

Going with a web service option is a more serious approach and requires a lot more effort and cost to implement and then you need to secure these.

edited May 23 '17 at 11:51

Community

1
1

answered Jan 07 '16 at 15:41

Mike Murphy

1,006
8
16

I was looking into the web service option and that seems the most viable since wouldn't a determined person still be able to see the decrypted string in memory if they had enough free time and the right tools? I know I'd still have to secure the web server, but where would i start? I mean what should I google/read about to get started on creating a web service that can handle this? – Mkey Jan 07 '16 at 15:55
You will have to put the decryption code into your program so a decompiler will show that too, which makes that solution not a 100% secure – Marged Jan 07 '16 at 16:02
@Marged - agreed, it is still possible to get it out but it does require a much more serious level of decompiling and debugging. – Mike Murphy Jan 07 '16 at 16:06
@Mkey - As I said web services requires a lot more effort and cost. This http://docs.spring.io/spring-ws/site/reference/html/what-is-spring-ws.html might be a good place to start. – Mike Murphy Jan 07 '16 at 16:07
@Mkey you might want to consider Spring boot, see this for examples: http://spring.io/guides/gs/accessing-data-rest/ – Marged Jan 07 '16 at 16:21
@MikeMurphy unless you take extra measures like obfuscators all you need is jd-gui and you get the complete sourcecode of the encryption routine. Too easy for savvy users. – Marged Jan 07 '16 at 16:28

JAVA how to store mysql login details

2 Answers2