encrypt database username and password in java?

Question

Actually by type 4 db connection from java i am connecting to oracle database like this:

In dbconnection.java i have written below:

  Class.forName("oracle.jdbc.driver.OracleDriver"); 
   con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:database host name","database user name", "database user password"); 
  return con;

Is there any method how can i write these 3 fields(database host, database username, database user password) in encrypted form in java class dbconnection.java like below:

  Class.forName("oracle.jdbc.driver.OracleDriver"); 
   con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:wrtwtr#$%$_rfwrw","regfwerfgwf", "%%5frfr^&%$%4"); 
  return con;

and during database connection, these encrypted fields will be decrypted and will be connected to oracle database in actual names

Then in servlet i am calling like:

  dbconnection db= new dbconnection();

Any help please

Answer 1

I'm not aware of any way to do that.

But I also don't see what doing this would achieve. Sure, the username and password are not shown in clear, but a bad guy who had access to those encrypted strings would be able to use them the same way as your program does.

Answer 2

Rather than trying to hide your connection details, you should provide a secure way to allow externally controlled applications (or instances of applications) to access your database.

An API is basically a middle layer between your database and an application you do not have control over. For example, facebook, rather than allowing direct access to their database, allows developers to access their data through an API. This means that applications can be authenticated (thus meaning they can be held responsible), and you can control explicitly what applications can and cannot see and edit.

Basically, through an API, you can protect your database while simultaneously keeping track of who is doing what (though the protection aspect is usually the main draw).

I must say though that sometimes, if you trust the people using the application, it's just easier to not worry about it. For example, if you work at a small company of competent, well meaning people, then it would likely be safe to allow the application to connect directly to the database.

If you are distributing your program to the general public though, or a large set of people whom you do not completely and totally trust, then you should not allow direct access, no matter what kind of precautions are taken.

Assume that you do figure out how to encrypt your credentials. At some point, you must still make the connection. What happens now if a user grabs the decryption/connection code, has the connection made, then inserts his own code after it? Suddenly he has access to your database. With an API, worst case, he could steal the API key and have limited, traceable, easily revokable access.

And besides, if you're allowing access to an API, you only allow users to do what you want them to do. So worst case, if he does figure out how to use the API directly, all he can do is what the program allows him to do anyway.

Answer 3

Passing encrypted data to the DriverManager is not an option.
You should pass the decrypted string into DriverManager . So somewhere you would have the user name and password encrypted and then decrypt them before passing them to the DriverManager
Then you would have other issues eg where to store private key etc, but as a first defence it would be better than using plaintext since my understanding is that you have some security requirement.

You did not mention what OS you are using. If you are using Windows I would suggest to use Windows based authentication (the connection to the database is authenticated against the current windows user).So no need to provide user name and password in the connection string. Check if Oracle supports this (have tried only with MS-SQL server.Hopefully the link I provided is useful).
This is IMHO the best option. For Linux there must be something equivalent.