Skip to main content

Encrypting your jndi data source in Tomcat

I was shocked to discover at my new gig that the database password that Tomcat loaded up into JNDI were not encrypted on the live site.  I was even more shocked that Tomcat does not provide a quick fix for this.

So here's mine.  Encode the password in your text file, and figure out where the below goes in your code:


    /**
     * Get a DataSource for the given JNDI name (with caching of lookups)
     *
     * @param dataSourceJNDIName The DataSource name
     * @return A DataSource for JNDI name 'dataSourceJNDIName', or null if the
     * lookup fails.
     */
    public static DataSource getDataSource(String dataSourceJNDIName)
    {
        DataSource dataSource = null;
        if (null != dataSourceJNDIName) {
            dataSource = (DataSource)dataSourceCache.get(dataSourceJNDIName);
            if (null == dataSource) {
                try {
                    dataSource = (DataSource) jndiContext.lookup(JNDI_PREFIX + dataSourceJNDIName);
                    //cast the datasource to the Apache BasicDataSource class
                    BasicDataSource bds=(BasicDataSource)dataSource;
                    //decrypt the password
                    bds.setPassword(EncryptionHelper.decode(bds.getPassword()));
                    Logs.debug(JNDI_PREFIX + dataSourceJNDIName + " returns " + dataSource);
                    if (null != dataSource) {
                        dataSourceCache.put(dataSourceJNDIName, dataSource);
                    }
                } catch (NamingException name) {
                    Logs.error("Naming exception (" + name + ") on lookup of '"
                        + dataSourceJNDIName + "'.");
                }
            }
        }
        return dataSource;
    }
    

Comments

Unknown said…
It is really not a concern. If they get to ur datasource files, they have already penetrated ur network. Next it is not encryption it is encoding, base 64. Not a difficult thing to hack just one iteration. So it is wrong info. Not accurate info being shared by u.
1:48 PM
Dan Fishman said…
You want to encrypt the DB password so that when the web server is hacked, it doesn't give up the keys to the DB. The webserver is outward facing, the DB should not be. Keeping the passwords encrypted makes sense.

Regarding the encryption method, I agree -- use something stronger that base64. I just threw that in there as an example.
7:25 PM
Post a Comment

Popular posts from this blog

Preventing accidental large deletes.

Instructions for Developers on Using the safe_delete Stored Procedure To enhance safety and auditability of delete operations within our databases, we have implemented a controlled deletion process using a stored procedure named safe_delete . This procedure relies on a temporary table ( temp_delete_table ) that lists complete records intended for deletion, not just their IDs. This approach helps prevent accidental deletions and provides a traceable audit log of delete actions. Why We Are Doing This Controlled Deletions : Centralizing delete operations through a stored procedure reduces the risk of erroneous or unauthorized deletions. Auditability : Using a temporary table to store complete records before deletion allows for an in-depth review and verification process, enhancing our ability to confirm and audit delete operations accurately. Security : Restricting direct delete permissions and channeling deletions through a specific proced...
Post a Comment
Read more
 In software engineering, accumulating code behind a release wall is akin to gathering water behind a dam. Just as a dam must be built higher and stronger to contain an increasing volume of water, the more code we delay releasing, the more resources we must allocate to prevent a catastrophic flood—major bugs or system failures—while also managing the inevitable trickles—minor issues and defects. Frequent, smaller releases act like controlled spillways, effectively managing the flow of updates and reducing the risk of overwhelming both the system and the team. The ideal of ci/cd may not be achievable for all teams, but smaller and faster is always better.
Post a Comment
Read more

October is Cyber Security Month

The President has declared October as Cybersecurity month.  It's not a bad idea -- just like you change the batteries in your smoke detectors once a year, maybe you should review your electronic vulbnerabilities? My top ten security tips: 1) Change your passwords.  You've had them too long, you use the same password in too many places.  Somewhere someone has hacked a site that has your username and password in plain text.  Now they are getting ready to try that username/password somewhere else.  Beat them to the punch. 2) Use a safe browser.  That means anything that's not Internet Explorer.   I prefer chrome. 3) Use 2 step verification for your email account.  If your email doesn't provide 2 step authentication consider switching. 4) Get a free credit report  and review it.  You are entitled to one free report a year.   BE VERY CAREFUL!  There are man scam sites that offer free credit reports.  Go through the s...
16 comments
Read more