It is definitely a legitimate concern. At the least the password should not be stored in plain text. What I do instead of calling Torque.init(<config file>); is create the import org.apache.commons.configuration.Configuration object: Configuration c = new PropertiesConfiguration(configFile); then manipulate the Configuration object to modify the password in it and then initialize Torque with the Configuration object.
Cheers Guy On Thu, 2007-05-24 at 17:00 -0500, jill han wrote: > I put database user login data in the Torque.properties as > > torque.dsfactory.default.connection.user = username > torque.dsfactory.default.connection.password = userpassword > > At first, I think it is quite common practice. Now somebody questioned > it for the security reason, saying > "Storage of user information in plain text will allow the database > to be compromised if web/app server is hacked." > It was suggested to Encrypt the database details in the configuration > file. > > Do you think it is a legitimate concern? > Do you encrypt such data in the configuration file? > > Your input is appreciated as always. > > Jill > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
