current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 3 down vote favorite
2

i was looking over the similarly questions but i didn't find the right answer and i think that there has to be some secure solution.

I have the client- server application. The clients are connecting to the central MySQL database which is on server. My problem is how to secure store database password on client desktop application. For now i am storing it in crypt form in java properties file. But properties files are readable and also after decompiling my application everybody can see which crypt function i use for encoding the password and can easily get the password. So i think that there is no way how to secure store the db password in client application, am I right?

The solution can be that the client application will do some handshake with the server to get the database password, is there any rules or patterns how to do this handshake?

share|improve this question
1  
I found exhaustive answer for this question: stackoverflow.com/questions/442862/… –  HPCS Nov 20 '11 at 18:10
add comment

1 Answer

up vote 2 down vote

Take a look at OAuth for authorization.

share|improve this answer
    
I don't see how this helps protect a database password? You would need an OAuth webservice on the server to supply passwords to validated clients - do you know of such a thing? –  Simon G. May 29 '11 at 11:06
    
No, but you could probably build one with the right frameworks. –  Alex Reynolds May 29 '11 at 20:02
    
I agree with Simon G., OAuth is a good solution for you for authentication since it only stores a Token on the local client's machine. More fundamental than that however, I would strongly recommend putting an appserver between your client and the database. It's not a good idea to expose your DB to the Internet on an open port, it is potentially a much greater threat than storing passwords in your jar. If you really still want to talk directly to the DB, you could configure your application server to proxy requests from authorized users to the DB. Again, I'd use OAuth for authentication. –  gwood Jun 6 '11 at 20:16
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.