使用Java Servlet API存储敏感

Question

I have web app which is running on Java Servlet web container,specifically on IBM WebSphere.My question is: whether there is the recommended way (as part of Java Servlet API) to store a sensitive data, like user password for example. I can write my own solution from scratch at any time,just was wondering if there is more standard way to achieve the same.

Answer 1

What kind :

• configuration data like database user+password,
• or mass data like member accounts?

Configuration data can be stored outside the application (war), as JNDI data source and such. This would mean that the developers need no access to deployment configuration, and the deployment configuration can have its passwords updated regularly.

For mass data: passwords should be stored as encrypted seeds (irreversible), taking care not to use an unsuitable encryption (for instance passwords with same prefix being encrypted to the same prefix).

For things like patient records address data might be encrypted decryptable, so a dump exposes less info.

Use one or more database user accounts with restricted rights.

Take care of backups: a total database dump is a very attractive treasure. After compression it might be encrypted, in the same pipe.

Answer 2

I am not sure what kind of password and user name you mean but if your web app has the connection with database, you can log into admin console and set up connection using JNDI.

Here is the path:

Resoucrs>Data sources > your_DataSource(set up your data source) > JAAS - J2C authentication data > Your_user (Set up your user, store user and password)