db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guy Galil <guy_ga...@guardium.com>
Subject Re: encrypt database user info in the Torque.properties?
Date Thu, 24 May 2007 23:34:26 GMT
It is definitely a legitimate concern.
At the least the password should not be stored in plain text.
What I do instead of calling Torque.init(<config file>);
is create the import org.apache.commons.configuration.Configuration
object:
 Configuration c = new PropertiesConfiguration(configFile);
 then manipulate the Configuration object to modify the password in it
and then initialize Torque with the Configuration object.

Cheers Guy

  On Thu, 2007-05-24 at 17:00 -0500, jill han wrote:
> I put database user login data in the Torque.properties as  
> 
> torque.dsfactory.default.connection.user = username
> torque.dsfactory.default.connection.password = userpassword
> 
> At first, I think it is quite common practice. Now somebody questioned
> it for the security reason, saying
> "Storage of user information in plain text will allow the database
> to be compromised if web/app server is hacked."
> It was suggested to Encrypt the database details in the configuration
> file.
> 
> Do you think it is a legitimate concern?
> Do you encrypt such data in the configuration file?
> 
> Your input is appreciated as always.
> 
> Jill
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


Mime
View raw message