Question regarding the sending of passwords via JDBC . . .

843854

Hey All,

I'd like to know if the username and password is sent in clear text during the getConnection() JDBC call to connect a client to a database?

I'm using a type 4 driver. Does this mean that the connection protocol is database-dependent and that some databases may allow the sending of passwords to be encrypted?

Thanks for any help.

Peter

843854

Typically yes, clear text, the JDBC spec does not make assumptions as to what the driver does with the password. The encryption needs to be negociated by the server and the jdbc driver. Check if your back-end supports password encryption, then check if the jdbc driver supports that feature. Type 4 means that the driver implements the network protocol to "speak" to the dbms in java. So the whole thing (Driver plus network library) is in written in java.

hth.

843854

I'm a bit new to Java but it seems there's a security issue here ... I'm using a Mysql web server and would like to write a client front-end in Java for misc. users.

I'm not worried about the passwords being sent because these are encrypted but I'm worried about the fact that passwords in Java pseudocode (compiled classes) are plain text. Well with most development languages this is true, strings are stored in plain text. But Java is very unlike the other languages: Java pseudocode can easily be decompiled.

From what I've read, obfuscators only make decompiled pseudocode harder to read but they do not protect strings.

My question is: is there a way to protect the connection strings ? or at least the passwords ? Something can certainly be done but what ?

843854

I reallty need an answer here please !

Thanks !

jschellSomeoneStoleMyAlias

I reallty need an answer here please !

And what would the question be?

If you distribute a java application that can connect to your database regardless of how you encrypt it I can hack it and get to your database.

So your choices are:
-Don't worry about it. Trust your users. Maybe back up a lot.
-Don't distribute the piece that talks to the database. Use a front end that talks to a server. That server actually talks to the database. This is one of the points of a web server.

843854

Hey ,

I am also trying same thing... I am using JDBC type 4 driver to connect to SYBASE/Oracle/MS SQL Server 2000. Password is just a plain text while transmitting.How can I encrypt this.

Thanks for any help.

Sreenivas

843854

hello,

Just read the usermanual of the JDBC Driver you are using. There should be some options that can be set via the jdbc url or jdbc properties. If you are sure that the DB supports password encryption.. i guess MSSQL does.. , and you cannot find out the options in the JDBC driver, make a call to their tech support and ask if they supports it.

-Jer

843854

Thanks Jer...

Yes... MS SQL supporting password encryption but not Oracle & Sybase... Is there any way to handle this encryption issue for these two DB's also.

Thanks in advance
Sreenivas

843854

Yes... MS SQL supporting password encryption
cryption but not Oracle & Sybase... Is there any way
to handle this encryption issue for these two DB's
also.

The password is always encrypted when using Oracle thin or oci driver. Oracle also has the ability to encrypt the text using oci.

843854

Here is an additional link on how to encrypt DATA using the Oracle thin driver.

843854

Thanks a lot...... where is the link?