Hi,

I have been building my first hibernate app and can't seem to find any references to secure password policies. It seems that everyone just puts their passwords in the configuration file.

We can't do this as our source control is viewable by many users - so my question is can I put a {placeholder} for a password in the config file(s) and populate them programmatically before invoking hibernate?

Thanks,

P

How about using a place holder? If you really need to use hibernate connection pool then you could put Ant style place holder and have ant filter those values for you at the build time.


Farzad-

I meant how about a data source? My apologies.


Farzad-

OK I've found some example fragments and it looks like I can use JNDI as follows:




with hibernate config:



My question is how to I get the hibernate config to see the reference I programmatically created to source?

Can you give example or amend my code.

Thanks

P

You need access to a JNDI service provider. Either run the application inside an application server of use a stand-alone JNDI service provider to bind and retrieve the datasource.

How do I do that? I've not written an application server before (not even that confident what one is). Sounds like a stand-alone service provider is what I'd prefer (is this lighter?) - can you point me to how to use it this way and/or post an example.

Thanks,

P

Why do you need to make is so complicate? If I understand correctly you just need to keep your password away from your version control repository. In that case just store passwords locally and have ant replace it for you at the build time.

Farzad-

I can't deploy the password either - our production directories are again visible to many people. We have a secure mechanism for obtaining passwords from shell scripts and typically pass the usernames/passwords as environment variables into our program on invocation from autosys (all this is batch program by-the-way).

Slightly off topic but passwords are not the only things we might want to change. e.g. I write a lot of configuratable arguments to the scripts (using getopts) that provide target database servers (dev, test, qa, prod), logging level, target email notifications etc. We use spring and bind parameters to defer configuration options to allow use to alter application behaviour as needed, and we can use a single Spring application config file. I am essentially looking for the same pattern with Hibernate (for example I might want to switch off sql logging to focus on other activity).

Passwords is the most import however. Our environment as I say is (intentionally) open, so security around passwords is tightly controlled through the use of production IDs, so we need to be able to defer using passwords till the very last moment.

If we can configure a data source in java then 'inject' this into hibernate that would be the most ideal solution for us - hence the reason for this thread.

I'm not trying to over-complicate, if anything I want to avoid using application servers and other heavyweight approaches, but I still want the flexibility of allowing config from the command line, combined with the efficiencies of using Hibernate.