I have a Spring MVC web application which needs to connect to a database, and the data source credentials are currently (in development) being kept in the application context configuration file, i.e. in WEB-INF\spring\application_context.xml like so:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="username" value="my_username" />
<property name="password" value="my_password" />
<property name="url" value="my_datasource_url" />
<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver" />
</bean>
Before I deploy this application to a public facing Tomcat server I want to make sure that I’m not making these database credentials visible to the world or easily discovered by a crafty hacker. Am I OK keeping things as they are, i.e. in plain text and in an XML file under WEB-INF? If not then is there a best practice for this sort of thing?
Thanks in advance for your help.
Another thing to consider would be to have a JNDI lookup. JNDI would be contained within the servlet container (tomcat in your case) allowing connections to the database only through webapps currently deployed from Tomcat.
This way also creates a silo’d experience between build management and development so development doesn’t have the keys to the car, if you get my metaphor.