The resource definition in tomcat's server.xml
looks something like this…
<Resource
name="jdbc/tox"
scope="Shareable"
type="javax.sql.DataSource"
url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"
driverClassName="oracle.jdbc.pool.OracleDataSource"
username="tox"
password="toxbaby"
maxIdle="3"
maxActive="10"
removeAbandoned="true"
removeAbandonedTimeout="60"
testOnBorrow="true"
validationQuery="select * from dual"
logAbandoned="true"
debug="99"/>
The password is in the clear. How to avoid this?
Best Answer
As said before encrypting passwords is just moving the problem somewhere else.
Anyway, it's quite simple. Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords. Encrypt your password in Tomcat's configuration file (
server.xml
oryourapp.xml
...) using this class.And to decrypt the password "on the fly" in Tomcat, extend the DBCP's
BasicDataSourceFactory
and use this factory in your resource.It will look like:
And for the custom factory:
Hope this helps.