http://www.aspheute.com/english/20040105.asp
might be helpful.

I have only scanned it quickly but it seemed to have some good ideas about how to handle database passwords securely.

Ron
On 24/05/2012 12:07 PM, Will Hoover wrote:
It's difficult to manage these type of configurations. As far as a
self-contained application is concerned, we typically use the POM as the
central source for the configuration of the application. This means that any
datasources etc. get fed their properties via a Maven filter. So a password
(like the one to connect to an internal DB) is filtered and added to our
application's resources. The POM and relevant configuration files contain
the passwords in clear text within the application build. There doesn't seem
to be an elegant solution for this...

Even if we manage to ask the user for a private password to an internal DB,
we typically want to store that hashed password somewhere. We can't put the
hashed password in the DB for which it's for or we will never be able to
connect to retrieve it. So, we usually use java.util.prefs.Preferences to
store the hashed password... That introduces maintenance overhead because
that still requires us to programmatically update the configuration every
time the application starts because it's still using the configuration that
is within the build (i.e. other non-application dependencies that require
the configuration file(s)).

-----Original Message-----
From: Ron Wheeler [mailto:rwhee...@artifact-software.com]
Sent: Thursday, May 24, 2012 10:22 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?

We have done a lot of single sign-on implementations over the years.

Mostly around getting access to remote servers to launch instructional
content from an LMS or getting transparently logged into remote LMS portals.

There are lots of "standard" ways to do this which is almost as bad as
not having standards.

A little off topic for the Maven list.
Ron

On 24/05/2012 8:23 AM, Will Hoover wrote:
Yeah, the last option where we have the user provide a password is where
we're currently headed. Thanks for your input!

-----Original Message-----
From: Ron Wheeler [mailto:rwhee...@artifact-software.com]
Sent: Wednesday, May 23, 2012 2:21 PM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?

I used invisible ink.

You are right that the passwords are in clear text in the JNDI but they
are in a place where they are not supposed to be visible to anyone
except the system administrator.

For desktop applications, you can embed the passwords in the code and
hope that the customers do not reverse engineer or you can provide a
service that the desktop client can call to get a password from your
server to use to unlock the database on their workstation.

If your installation procedure can get a password from the user and use
that for the database, then you are at least giving the user a private
password that will not be any good on another client's database.

It all depends on what use case you are trying to handle.

Ron

On 23/05/2012 12:18 PM, Will Hoover wrote:
Was there a reply in there that I'm overlooking?

-----Original Message-----
From: Ron Wheeler [mailto:rwhee...@artifact-software.com]
Sent: Wednesday, May 23, 2012 11:50 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?

On 23/05/2012 10:33 AM, Will Hoover wrote:
Great posts! Thank you! My only concern with the proposed solutions are
the
following:

1) Remote resources, scripts, etc. are great for internal network
deployments (or "ships") such as web applications, but what about
desktop
or
mobile applications that are self contained?
2) Even with JNDI and other solutions... at some point the passwords
still
reside in clear-text format, right?

BTW, I agree that this should be outside the scope of Maven
responsibilities. I'm just looking for input from other Maveneers and
what
measures they have taken to tackle this issue :)

-----Original Message-----
From: Ron Wheeler [mailto:rwhee...@artifact-software.com]
Sent: Wednesday, May 23, 2012 9:54 AM
To: users@maven.apache.org
Subject: Re: How can I eliminate these embedded username and password
entries?

This has come up so often I wrote some blogs on it.

http://blog.artifact-software.com/tech/?tag=jndi

On 23/05/2012 9:05 AM, Barrie Treloar wrote:
On Wed, May 23, 2012 at 10:23 PM, Will Hoover<java.whoo...@gmail.com>
wrote:
This is an interesting topic of interest. We would like to do a
similar
thing with our DB passwords that are in our POMs. Are there any other
options other than the ones described?
Search the archives.
External Resources used at Runtime (rather than build time) are either
stored in JNDI or in property files which are loaded on the classpath.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org





--
Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Reply via email to