PDA

View Full Version : Secure JDBC authentication without providing plaintext passwords




foidulus
Feb 24, 2008, 05:09 PM
At work I have been tasked with finding a system to replace the old plaintext username/password system that we have been using for our apps to connect to JDBC. We have about 100 workstations bound to our Open Directory Server and are not connected to the internet. We used to just throw the username and password in a plain text file, but are looking for a more secure way to do this. Is there any way to authenticate the user without forcing them to enter yet another password?

All the workstations are Tiger 10.4.10 and the DB server is running postgres on RHEL 4.

Thanks!



Cromulent
Feb 24, 2008, 05:44 PM
At work I have been tasked with finding a system to replace the old plaintext username/password system that we have been using for our apps to connect to JDBC. We have about 100 workstations bound to our Open Directory Server and are not connected to the internet. We used to just throw the username and password in a plain text file, but are looking for a more secure way to do this. Is there any way to authenticate the user without forcing them to enter yet another password?

All the workstations are Tiger 10.4.10 and the DB server is running postgres on RHEL 4.

Thanks!

Couldn't you just use SSL or something similar?

robbieduncan
Feb 24, 2008, 06:03 PM
Couldn't you just use SSL or something similar?

I think the issue is not the over-the-wire transfer of the passwords: JDBC can already encrypt that. The issue is that there is a "functional" account, i.e. and shared account everyone uses. At the moment they simply include a plain text file with the username/password in it. The problem with this is that the user group can discover the username/password and log directly into the database bypassing the app.

It'd suggest accessing the Keychain from Java. A quick Google search indicates it should be possible.