db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jill han" <j...@bynum.com>
Subject RE: encrypt database user info in the Torque.properties?
Date Tue, 29 May 2007 22:39:07 GMT
I use turbine/torque in the app. When "turbine" is turned on, i.e.,
tomcat is started, the db user data will be evaluated. 
I have no idea on where such encrypt/decrypt should start.
I really appreciate if some detailed instructions are given.

-----Original Message-----
From: Greg Monroe [mailto:Greg.Monroe@DukeCE.com] 
Sent: Thursday, May 24, 2007 6:37 PM
To: Apache Torque Users List
Subject: RE: encrypt database user info in the Torque.properties?

There is no built in support for this.

However, if you need that level of security, you can
use the Torque.init(Configuration conf) method to initialize
Torque with a "decrypted" version of your encrypted
config file.

E.g., make an "EncryptProperties" class that takes a
plain text config file can encrypts the whole thing.

Then create a matching DecryptReader class that can
be used to load a PropertiesConfiguration class.  E.g.,


if ( ! Torque.isInit() ) {
  DecryptReader dReader = new DecryptReader(keys, encryptedFile);
  PropertiesConfiguration conf = new PropertiesConfiguration();
  conf.load(dReader);
  Torque.init(conf);
}

Of course, if people have access to your compiled classes
they can probably decompile them and find your key values and
encryption methods...

> -----Original Message-----
> From: jill han [mailto:jhan@bynum.com] 
> Sent: Thursday, May 24, 2007 6:01 PM
> To: Apache Torque Users List
> Subject: encrypt database user info in the Torque.properties?
> 
> I put database user login data in the Torque.properties as  
> 
> torque.dsfactory.default.connection.user = username 
> torque.dsfactory.default.connection.password = userpassword
> 
> At first, I think it is quite common practice. Now somebody 
> questioned it for the security reason, saying "Storage of 
> user information in plain text will allow the database to be 
> compromised if web/app server is hacked."
> It was suggested to Encrypt the database details in the 
> configuration file.
> 
> Do you think it is a legitimate concern?
> Do you encrypt such data in the configuration file?
> 
> Your input is appreciated as always.
> 
> Jill
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
> 
> 

Duke CE Privacy Statement
Please be advised that this e-mail and any files transmitted with it are
confidential communication or may otherwise be privileged or
confidential and are intended solely for the individual or entity to
whom they are addressed.  If you are not the intended recipient you may
not rely on the contents of this email or any attachments, and we ask
that you  please not read, copy or retransmit this communication, but
reply to the sender and destroy the email, its contents, and all copies
thereof immediately.  Any unauthorized dissemination, distribution or
copying of this communication is strictly prohibited.



---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


Mime
View raw message