Code showing username and password for connecting to server

Question

I'm writing a method that make it possible for my Java program to create a database connection that will eventually make me able to access it from other classes/methods.

public class DatabaseConnection
{
    
    private Connection databaseLink;
    
    public Connection getConnection()
    {
        String url = "jdbc:mysql://localhost/DBname";
        
        try
        {
            Class.forName("com.mysql.cj.jdbc.Driver");
            databaseLink = DriverManager.getConnection(url, "fakeUsr", "fakePsw");  //these are not the real username/password
        }
        catch (Exception e)
        {
            e.printStackTrace();
        }
        
        return databaseLink;
    }
}

I've got a couple of issues: 1)people not using my computer will not be able to get into my server since I wrote "localhost":

String url = "jdbc:mysql://localhost/DBname";

2)I've typed the real username and password instead of "fakeUsr" and "fakePsw". The thing is: I'm quite sure that the average user of my program should NOT be able to access that information. Is there any other way to permit access to a DB without making username and password readable by virtually anyone getting access to my source code?

For issue n. 1: I tried to type my IP address instead of "localhost" here: String url = "jdbc:mysql://localhost/DBname"; //changed localhost to my IP address String url = "jdbc:mysql://localhost/DBname"; //changed localhost to my IP address

but then I get "Communications link failure".

For issue n. 2: I have literally no idea how to solve this. I've never coded a program that needs access to a DB so I had to improvise a bit for that.

Answer 1

About Issue #2:

There is no secure way of storing the password inside the code itself. You can of course try to encrypt the password, but then your code has to decrypt it when the connection is established and therefore the encryption key is visible virtually "to all that have access to your source code". With this key, it is possible to get to the real password, just a little bit more complicated.

The only secure way is to have the user enter the login credentials by his own . Either low level (program arguments when starting your application) or by some form of "login dialog", if the application has a GUI.

A third option would be to create a technical user with restricted DB access, depending on the application you are working on. But this usually causes security issues.

Answer 2

You could create your application such that it sends an https request and authenticate itself against a webserver. What you use to authenticate is up to you: Client IP, username, password, client certificates, ...

Once authenticated, your webserver could transfer a one-time username/password that the client uses to login into your database.

The advantage here is that you can still control whether the user gets full or restricted access, or gets no password any more for whatever reason. And there is no security hole in your application.

Answer 3

1) Most Inte.net providers don't allow ordinary users to accept incoming socket connections, both for security reasons and because the.network traffic can quickly overwhelm consumer grade.networks. You will have to either purchase a commercial Inte.net connection which allows incoming connections, or look for a server you can lease or borrow. I'm afraid I don't know what options are available.

2) As MrFreeze correctly pointed out, there is no way to safely embed credentials in an application. No matter what you do to obscure your database login credentials, someone can always decompile your program and figure out how you are decrypting those credentials. The only truly safe solution is to tell users you trust what the credentials are, then write your application so the user must enter them.

Side note: Class.forName("com.mysql.cj.jdbc.Driver"); has not been needed for many years. You can remove that line.