Oracle Forms

Typically yes, clear text, the JDBC spec does not make assumptions as to what the driver does with the password. The encryption needs to be negociated by the server and the jdbc driver. Check if your back-end supports password encryption, then check if the jdbc driver supports that feature. Type 4 means that the driver implements the network protocol to "speak" to the dbms in java. So the whole thing (Driver plus network library) is in written in java.

hth.

I'm a bit new to Java but it seems there's a security issue here ... I'm using a Mysql web server and would like to write a client front-end in Java for misc. users.

I'm not worried about the passwords being sent because these are encrypted but I'm worried about the fact that passwords in Java pseudocode (compiled classes) are plain text. Well with most development languages this is true, strings are stored in plain text. But Java is very unlike the other languages: Java pseudocode can easily be decompiled.

From what I've read, obfuscators only make decompiled pseudocode harder to read but they do not protect strings.

My question is: is there a way to protect the connection strings ? or at least the passwords ? Something can certainly be done but what ?

I reallty need an answer here please !

Thanks !

And what would the question be?

If you distribute a java application that can connect to your database regardless of how you encrypt it I can hack it and get to your database.

So your choices are:
-Don't worry about it. Trust your users. Maybe back up a lot.
-Don't distribute the piece that talks to the database. Use a front end that talks to a server. That server actually talks to the database. This is one of the points of a web server.

Hey ,

I am also trying same thing... I am using JDBC type 4 driver to connect to SYBASE/Oracle/MS SQL Server 2000. Password is just a plain text while transmitting.How can I encrypt this.

Thanks for any help.

Sreenivas

hello,

Just read the usermanual of the JDBC Driver you are using. There should be some options that can be set via the jdbc url or jdbc properties. If you are sure that the DB supports password encryption.. i guess MSSQL does.. , and you cannot find out the options in the JDBC driver, make a call to their tech support and ask if they supports it.

-Jer

Thanks Jer...

Yes... MS SQL supporting password encryption but not Oracle & Sybase... Is there any way to handle this encryption issue for these two DB's also.

Thanks in advance
Sreenivas

The password is always encrypted when using Oracle thin or oci driver. Oracle also has the ability to encrypt the text using oci.

Here is an additional link on how to encrypt DATA using the Oracle thin driver.

Thanks a lot...... where is the link?

Didn't you mean, where is the link please? :)

Sorry, here you go:

http://otn.oracle.com/sample_code/deploy/security/files/secure_thin_driver/readme.html

Of course my friend.. Thanks A LOT once again ;)

Can anybody help on how to encrypt the password while transmitting to SYABASE Data Server using JDBC driver

Thanks
Sreenivas

Sreenivas,
To support encryption, the sybase driver should be used with SSL (Security Sockets Layer).

Wouldn't it just be easier to keep the database and application server in a secure domain?

Can you say "n-Tier Architecture": boys and girls?
... I knew you could. ;-)