Avoid clear text passwords in JNDI datasource in Tomcat

Question

I am using a JNDI datasource that is configured in tomcat server. I want to avoid storing the password as clear text and also i have an existing encryption logic available in the application used which i want to use to encrypt the database password.

<Resource name="jdbc/testdb" auth="Container"
      factory="com.zaxxer.hikari.HikariJNDIFactory"
      type="javax.sql.DataSource"
      minimumIdle="5" 
      maximumPoolSize="50"
      connectionTimeout="300000"
      driverClassName="org.mariadb.jdbc.Driver"
      jdbcUrl="jdbc:mysql://localhost:3307/testdb"
      dataSource.implicitCachingEnabled="true" 
      connectionTestQuery="Select 1" />

Considering this use case and the possible solutions available online i decided to use org.springframework.jdbc.datasource.UserCredentialsDataSourceAdapter for providing the username and password for the database using the code

<bean id="dataSource1" class="org.springframework.jndi.JndiObjectFactoryBean">
        <property name="jndiName" value="java:comp/env/jdbc/testdb" />
    </bean>

<bean id="dataSource" class="org.springframework.jdbc.datasource.UserCredentialsDataSourceAdapter">
   <property name="targetDataSource" ref="dataSource1"/>
   <property name="username" value="${dataSource.username}"/>
   <property name="password" value="#{passwordDecryptor.decryptedString}"/>
 </bean>

This approach works for me for making connections to MSSQL database but quite strangely fails on MariaDB with the error "Access denied for user ''@'localhost' (Using Password :NO)". I wonder if this issue has got anything to do with the HikariCP connection pool, as the same works with C3P0 implementation without any issues.

Also I would like to know if this is the right approach and please suggest if this can improved for getting better performance.

Answer 1

Ok, I've taking a peek around, give this a shot:

<Resource name="jdbc/testdb" auth="Container"
    factory="org.apache.naming.factory.BeanFactory"
    type="com.zaxxer.hikari.HikariDataSource"
    minimumIdle="5" 
    maximumPoolSize="50"
    connectionTimeout="300000"
    driverClassName="org.mariadb.jdbc.Driver"
    jdbcUrl="jdbc:mysql://localhost:3307/testdb"
    connectionTestQuery="Select 1" />

What is different? We're not using the com.zaxxer.hikari.HikariJNDIFactory . Why? Because the HikariJNDIFactory uses the HikariDataSource(HikariConfig config) constructor, which immediately instantiates the underlying datasource, after which the configuration can no longer be changed.

Using the BeanFactory , we call the default constructor, which does not instantiate the underlying datasource until the first call to getConnection() , which means we are free to set the username/password after the JNDI lookup.

On the Spring side:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:jee="http://www.springframework.org/schema/jee" xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
         http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd">

<jee:jndi-lookup id="dataSource"
   jndi-name="jdbc/testdb"
   cache="true"
   lookup-on-startup="true"
   expose-access-context="true">
     <property name="dataSourceProperties">
        <props>
           <prop key="user">${dataSource.username}</prop>
           <prop key="password">${passwordDecryptor.decryptedString}</prop>
        </props>
     </property>
</jee:jndi-lookup>

I believe this should work, or something very close to it. I am going to make an addition to HikariCP too honor the passing of the JNDI environment so that <jee:environment> can be used inside of the <jee:jndi-lookup> tag for a cleaner solution.