It is alot simpler to have one database user and do ACL that way.

Simple question...Where and how should I store the username and password for a Swing application?

So users don't find the username and password and login to the database directly, would my best bet be to store an encrypted username and password in a properties file and decrypt it before sending to the database server?

Just wanted to know other's thoughts on this problem, obviously web applications don't have this problem because no one will ever have access to look at a username and password stored on the web server.

Thanks

Well everybody evil can still decrypt your password himself since your application has to contain the key and algorithm to decrypt and thats pretty easy to crack. You shouldn't have applications possibly malicious users use connect to your database directly anyways.

Java 1.4 has build in Kerberos support. I'd start there. Check out the javax.security.auth.kerberos package. Or try other classes in the javax.security.auth subpackages.

The java security features are quite nice actually, however I have not heard of anyone using it for direct authenitcation against the database (so in a 2-layer architecture). Is that possible?

Well, I hear that postgres can be a kerberos service. http://www.guides.sk/pgsql/sgml/auth-methods.html#KERBEROS-AUTH

I'm assuming that the java classes could interface with it. Big "if," though. :)

I do not think it can help, you need to protect keys any way, if you do not want to let user connecto to database without app.
The most common way for desktop app is to use RDBMS security, user know his password and enters on app startup (app never stores passwords itself). If input validation rules and security is implemented in RDBMS you do not need to care about connection type (direct access is safe as app connection).

P.S. I am sure java developers can not agree with this, but do not ignore
RDMS features if you need quality.