ibatis-user-java mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Clinton Begin" <clinton.be...@gmail.com>
Subject Re: AW: Obsfucation in iBatis xml file
Date Thu, 22 Jun 2006 01:45:10 GMT
What are you protecting though?

 -- The SQL?  (why?)
 -- The Passwords?  (fair enough, but you don't have to put those in the XML
file)

I've always said that encryption of iBATIS XML files should be outside of
the scope of ibatis.  That said, we haven't made it easy for you, as the
obvious place to encrypt/decrypt the configuration files is in the Resources
utility class -- which is not easily extended or replaced.

Perhaps we could offer a configurable a stream filter hook in the Resources
class so you can use whatever means you feel comfortable with to encrypt and
decrypt your configuration files with.

Thoughts?

Trivia:  Who knows the history of the iBATIS name and how it relates to
cryptography?

Cheers,
Clinton

On 6/21/06, Paul Benedict <paul4christ79@yahoo.com> wrote:
>
> Larry, why would it slow me down? :-) Configuration files are read once
> and thrown away. If it is slower to boot up, oh well, the 2 AM deployment
> team is going to have to stay up a few more minutes! hehe. But seriously,
> encrypting the file is only a pre-cautionary safe-guard; decrypting probably
> also requires a key to be stored somewhere so if that is also found on the
> file system, I am toast (point granted). But if someone managed to steal the
> jar only, they can't do a thing. -- Paul
>
>
> *Larry Meadors <lmeadors@apache.org>* wrote:
>
> You know, if someone has access to your filesystem, encrypting that
> file is just going to slow you down, not them.
>
> I would focus on securing the filesystem so that only the one user
> that needs access to it has access to it, and letting it protect you.
>
> Encrypting that file IMO is a total waste of time.
>
> Larry
>
>
> On 6/21/06, Paul Benedict wrote:
> > Andre, the concern would be if you have to deploy your application to
> > servers you do not own. Most companies own their servers, but sometimes
> > small businesses use external providers. -- Paul
> >
> >
> > Andre Peterka wrote:
> >
> > I have thought about encrypting the sqlmaps also. But will it be worth
> all
> > the hassle since every RDBMS will provide some kind of monitoring and
> all
> > the sqls will be available anyway.
> >
> > Andre
> >
> > > -----Urspr´┐Żngliche Nachricht-----
> >
> > > Von: Paul Benedict [mailto:paul4christ79@yahoo.com]
> > > Gesendet: Mittwoch, 21. Juni 2006 14:52
> > > An: user-java@ibatis.apache.org
> > > Betreff: Re: Obsfucation in iBatis xml file
> > >
> > > I am looking for the same thing. I'd like to encrypt my
> > > sqlmap files during my packaging phase. But how to decrypt
> > > them? I can only imagine with a custom class loader, maybe AspectJ.
> > >
> > > Tom Henricksen wrote:
> > >
> > > We are working on looking into code obfuscation for
> > > Java application. Is there some way to obfuscate the iBatis
> > > xml file? My guess is probably not as this would be very difficult.
> > > Thanks,
> > > Tom
> > >
> > >
> > >
> > >
> > >
> > > ________________________________
> > >
> > > Do you Yahoo!?
> > > Everyone is raving about the all-new Yahoo! Mail Beta.
> > > > ahoo.com/handraisers>
> > >
> >
> >
> >
> > ________________________________
> > How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call
> rates.
> >
> >
>
> ------------------------------
> Yahoo! Messenger with Voice.<http://us.rd.yahoo.com/mail_us/taglines/postman3/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com>PC-to-Phone
calls for ridiculously low rates.
>
>
Mime
View raw message