findbugs and database password security issue

2019-02-17 00:24发布

问题:

I'm using the following code to initialize database connection:


 public Connection getConnection() {
        try {
            if (null == connection) {
                String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver
                Class.forName(driverName);

                // Create a connection to the database
                String serverName = "localhost";
                String database = "database";
                String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
                String username = "username";
                String password = "password";
                connection = DriverManager.getConnection(url, username, password);
            }
            return connection;
        } catch (ClassNotFoundException cnfe) {
            cnfe.printStackTrace();
        } catch (SQLException sqle) {
            sqle.printStackTrace();
        }
        throw new NullPointerException("Cannot establish database connection...");
    }

and I know it's bad practice to do it, also I ran FindBugs against the code, and got the security issue saying the following: This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.

What's the best way to initialize database connection without having this security breach?

回答1:

The vast majority of Web Applications use a hard-coded username/password for their SQL connection. Checking production credentials into source control, or giving interns the ability to delete the production database is generally frowned upon. Production credentials should be protected, and only privileged employees should have access to them.

It is common for web applications to leak their configuration files. For example if a .xml file is stored in the webroot then it can be accessed remotely: http://localhost/configs/db_config.xml.

It is common practice to disallow access to your database (block tcp port 3306 for mysql). In fact this is a requirement of the PCI-DSS. Even if the username and password where to be obtained, it would be useless.



回答2:

Read the password from a properties file or LDAP or similar and secure access to those to only the account used to run the software (which none of the developers should have access to).



回答3:

Use simple files to store the database properties and read them in the code instead of hardcoding. Not only is this clean but you can also restrict file access.

This link may help you.



回答4:

This code creates a database connect using a hardcoded, constant password. .

That security issue arise because, you've used the DB name, username and password. But surely you can't resolve the issue "Anyone with access to either the source code or the compiled code can easily learn the password". I bet U can resolve the first issue.

You can use Properties to include your DB uesrname and password with which you could encode into the Properties object using setproperty() method.

Now you can include the property object into the getConnection() method :

conn = DriverManager(url, properyObject);


回答5:

You can store the password in a config file and then encrypt the file/sections of the file using DPAPI if you are using Windows box. This way, you won't have to worry about key management too.