-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

View unanswered posts | View active topics


Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]


Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 7 posts ] 
  Previous topic | Next topic 
Author Message
js001
 Post subject: Encryption
PostPosted: Thu Sep 06, 2007 12:48 pm 
Newbie

Joined: Wed Jul 25, 2007 2:54 pm
Posts: 6
I've been looking into finding a way for a Hibernate application not to have a plain text data source password in hibernate.cfg.xml.

There does not seem to be a good way to do this. But that would seem to be a pretty significant lack. Am I missing something?

Thanks
Top
 Profile  
 
TheConfusedOne
 Post subject:
PostPosted: Fri Sep 07, 2007 1:55 am 
Newbie

Joined: Wed Sep 05, 2007 6:34 pm
Posts: 13
Hmm...

What kind of application is this for? Is it
    a web application (where the end user does not have access to hibernate.cfg.xml)?
    or a standalone application (with the hibernate.cfg.xml freely available to the end user)?

Or is this to keep the password out of a shared repository?
Top
 Profile  
 
js001
 Post subject:
PostPosted: Fri Sep 07, 2007 11:09 am 
Newbie

Joined: Wed Jul 25, 2007 2:54 pm
Posts: 6
TheConfusedOne wrote:
Hmm...

What kind of application is this for? Is it
    a web application (where the end user does not have access to hibernate.cfg.xml)?
    or a standalone application (with the hibernate.cfg.xml freely available to the end user)?
Or is this to keep the password out of a shared repository?


Hi -

At the moment it would be a stand alone application, not living under an application server. The requirement is that the password not be stored in plain text in the file on the disk.

Perhaps a two key system could be used where a key phrase in memory, as an environment variable, was used to validate the password in the file. Or in the case of a weaker encryption, perhaps a pluggable module could decrypt the password prior to its use in connecting to the database. Or perhaps an additional round of validation could be hooked in, requiring the user to enter a password.

There do seem to be ways of pointing Hibernate at data sources managed by other entities, and maybe those entities would be able to manage the validation differently. However this seems like a complicated solution. Really, my only requirement is that the password not be in plain text on a file on the disk.

Thanks
Top
 Profile  
 
TheConfusedOne
 Post subject:
PostPosted: Sat Sep 08, 2007 10:54 pm 
Newbie

Joined: Wed Sep 05, 2007 6:34 pm
Posts: 13
I'm a bit confused about the 2-key system vs. a pluggable module. To me they seem the same. (I'm probably missing something).

I don't think that it is safe to allow a remote program access to your database without further protections. Even if the password is not stored in plain-text, can't a user just listen-in to the outgoing packet after it's been decrypted?

Code:
======          pass=12345          =========
|client|      ---------------->     |db server|
======                              =========


I don't know the best answer to this problem... Web services are one way I think.

Is my understanding correct?

I think I found something you may be looking for after googling for "encrypting hibernate password":
http://www.javalobby.org/java/forums/t93046.html
http://www.jasypt.org/hibernate3.html
Top
 Profile  
 
js001
 Post subject:
PostPosted: Mon Sep 10, 2007 12:14 pm 
Newbie

Joined: Wed Jul 25, 2007 2:54 pm
Posts: 6
TheConfusedOne wrote:
I'm a bit confused about the 2-key system vs. a pluggable module. To me they seem the same. (I'm probably missing something).

I don't think that it is safe to allow a remote program access to your database without further protections. Even if the password is not stored in plain-text, can't a user just listen-in to the outgoing packet after it's been decrypted?

Code:
======          pass=12345          =========
|client|      ---------------->     |db server|
======                              =========


I don't know the best answer to this problem... Web services are one way I think.

Is my understanding correct?

I think I found something you may be looking for after googling for "encrypting hibernate password":
http://www.javalobby.org/java/forums/t93046.html
http://www.jasypt.org/hibernate3.html


What I'm suggesting when I mentioned two approaches is that some sort of trivial encryption (non two key) would meet the requirement. Software that reads the "encrypted" password from the file, de-codes it, and uses it, would work for me.

Yes, this is not secure over a network, but for the requirement I'm looking to meet, there is no network. The only requirement is that the password not be sitting there on the disk in a plain text file. That simple, that's it.

I could also scramble the entire XML file, using some external tool. But I'd need some way to decode it and allow Hibernate to access the set up without having the decoded XML on a disk file.

I looked at uses of jasypt and using a web service (before posting here) or some other way to define the data source. This could probably meet the requirement, but this is what I'm calling overkill. My application does not otherwise need a container, it's a simple stand alone Java application. The security requirement is not a super-duper one. It just shouldn't be so trivial to see the password.

Thanks for the consideration
Top
 Profile  
 
TheConfusedOne
 Post subject:
PostPosted: Mon Sep 10, 2007 9:48 pm 
Newbie

Joined: Wed Sep 05, 2007 6:34 pm
Posts: 13
Sorry, I should have looked better at the link I sent you...

I did some more searching, and I think using your own ConnectionProvider is a possible solution:
Providing Connections for Hibernate.

The following worked for me. (note: I added another line in hibernate.cfg.xml: <property name="connection.provider_class">util.EncryptedConnectionProvider</property> that the above link does not mention)

hibernate.cfg.xml:
Code:
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE hibernate-configuration PUBLIC
        "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
        "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">

<hibernate-configuration>

    <session-factory>

        <!-- Database connection settings -->
        <property name="connection.provider_class">util.EncryptedConnectionProvider</property>
        <property name="connection.driver_class">org.postgresql.Driver</property>
        <property name="connection.url">jdbc:postgresql:template1://localhost</property>
        <property name="connection.username">pg2</property>
        <property name="connection.password">ABCDE</property>

        <!-- JDBC connection pool (use the built-in) -->
        <property name="connection.pool_size">1</property>

        <!-- SQL dialect -->
        <property name="dialect">org.hibernate.dialect.PostgreSQLDialect</property>

        <!-- Enable Hibernate's automatic session context management -->
        <property name="current_session_context_class">thread</property>

        <!-- Disable the second-level cache  -->
        <property name="cache.provider_class">org.hibernate.cache.NoCacheProvider</property>

        <!-- Echo all executed SQL to stdout -->
        <property name="show_sql">true</property>

        <!-- Drop and re-create the database schema on startup -->
        <property name="hbm2ddl.auto">update</property>

        <mapping resource="events/Event.hbm.xml"/>

    </session-factory>

</hibernate-configuration>


EncryptedConnectionProvider.java
Code:
package util;

import java.util.Properties;

import org.hibernate.cfg.Environment;
import org.hibernate.connection.ConnectionProvider;
import org.hibernate.connection.DriverManagerConnectionProvider;

public class EncryptedConnectionProvider extends
      DriverManagerConnectionProvider implements ConnectionProvider {

   public void configure(Properties props) {
      String encryptedPassword = props.getProperty(Environment.PASS);
      
      props.setProperty(Environment.PASS, decryptPassword(encryptedPassword));
      
      super.configure(props);
   }
   
   private String decryptPassword(String encryptedPass) {
      return encryptedPass.toLowerCase();
   }
   
}


My encryption scheme above is pretty simple--I'm just converting the password to lowercase. You could implement your own encryption strategy (perhaps the jasypt project would be useful here). Also, I believe this uses hibernate's built-in simple connection pooling. To switch, I think you would extend another ConnectionProvider (e.g. C3P0ConnectionProvider)

Hope this helps!

-- Dan
Top
 Profile  
 
js001
 Post subject:
PostPosted: Tue Sep 11, 2007 12:24 pm 
Newbie

Joined: Wed Jul 25, 2007 2:54 pm
Posts: 6
That looks really good! Thanks for the tip.
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 7 posts ] 

Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.