Connection to the PL/SQL database via a JAVA application. SECURITY ISO 27001

Question

Connection to the PL/SQL database via a JAVA application. SECURITY ISO 27001

Asked 7 years, 12 months ago

Viewed 120 times

2

My java application is currently connecting with a pl/sql database, username and connection password are in the jdbc file:

jdbc.username=xxxxxxx
jdbc.password=xxxxxxx
jdbc.url=xxxxxxxxxxxx

and Spring uses this data to create the connection, and finds it in the applicationContext.xml file

<!-- Carregamento do Arquivo de Configuracoes do JDBC -->
    <context:property-placeholder location="xxxx" />

<!-- Configuracao do DataSource -->
<bean id="dataSource" class="xxxxx">
    <property name="driverClassName" value="${jdbc.driverClassName}" />
    <property name="url" value="${jdbc.url}" />
    <property name="username" value="${jdbc.username}" />
    <property name="password" value="${jdbc.password}" />
</bean>

ISO 27001 asks that the connection password should not be statically fixed to the code, as developers will no longer be able to access the database password. Any idea how I can fix this?

1 answer

Browser other questions tagged java

You are not signed in. Login or sign up in order to post.

by utluiz • **72,075** points · Answer 1 · 2016-07-05T00:54:10+00:00

The standard way to solve this in Java EE architecture is for connections to the database or any external sources in production to be provided via application server settings such as Tomcat, Glassfish, Jboss/Wildfly, Websphere, Weblogic.

This way, only people authorized to administer the application server in different environments can effectively see and modify the password. The application only "trusts" through the configuration that the data sources shall be provided at the time of execution.

This technique uses JNDI technology, where the server provides the data sources configured in the JNDI record and the applications installed in it can query and consume these objects.

If your application does not use or cannot use an application server, other less secure mechanisms include providing authentication data:

Through configuration files in protected directories
Through environment variables with specific names
Through parameters that are passed to the application at startup

However, in these cases you need to be very careful not to end up printing the password in logs or even showing in some part of the application. It is not uncommon that some tool prints environment parameters and variables if the program crashes, or even some systems also include features that show environment variables, for example.