Knowledge Base > Article [0065]

Plain text password concern

You are probably aware of that the password of JDBC connection in tomcat server.xml is in plain text.  

<Resource driverClassName="com.mysql.jdbc.Driver" maxActive="1000" maxIdle="2" maxWait="5000" name="jdbc/DasDS" password="changeit" type="javax.sql.DataSource" url="jdbc:mysql://localhost:3306/dualshield?useUnicode=true&characterEncoding=UTF-8" username="root" validationQuery="Select 1"/>

Which certainly is not good you think. We totally agree with you, however it is a dilemma of JDBC connection. Please first check the discussions on StackOverFlow.

Basically, this problem is, you could en-crypt the password, but then you have to have a key to de-crypt it and you are stuck in the same problem.

In the predecessor of DualShield (V3x), we provided a fixed symmetric key in jar to en-crypt the password, when tomcat connected to SQL server, it used the same jar to de-crypt. You can imagine,  it is something like, "You locked the door, but left the key in the key hole".

There were another two reasons we discarded the method in DualShiled. Some customers forgot their original password then asked us for the help to retrieve it! Secondly, some companies have password policy that you need to reset the password over a period,  then they asked us to generate a new encrypted password.

So, we told them,

For encryption,

C:\Program Files\Deepnet DualShield\tomcat\lib>..\..\jre\bin\java -jar deepnet-c ommon.jar changeit

Your cipher text: 54q7xOgSTwNZfXRGkE2FTA==

For decryption, add -d as the switch,

C:\Program Files\Deepnet DualShield\tomcat\lib>..\..\jre\bin\java -jar deepnet-c ommon.jar -d 54q7xOgSTwNZfXRGkE2FTA==

Your plain text: changeit

You should use the same method on username field.

To be honest with you, among ourselves, we had a dispute over this method. If you still think it is securer and want to have a try, then you can download the jar, put it under the folder

C:\Program Files\Deepnet DualShield\tomcat\lib

After that, modify the connection string in server.xml file to something like,

<Resource driverClassName="com.mysql.jdbc.Driver" factory="com.deepnet.tomcat.DeepnetDataSourceFactory" maxActive="1000" maxIdle="2" maxWait="5000" name="jdbc/DasDS" password="54q7xOgSTwNZfXRGkE2FTA==" type="javax.sql.DataSource" url="jdbc:mysql://localhost:3306/dualshield?useUnicode=true&characterEncoding=UTF-8" username="M8ciiqU0k44=" validationQuery="Select 1"/>      

Please notice that a new attribute "factory" is added.


Probably the simplest way is, still use the plain text password, but limit the file access, change the server.xml file security to that only SYSTEM and Administrator can read/write.

If you are using MS SQL, then you can try KB59, which can completely avoid the password.