0

I'm creating standalone application (GUI-based on Swing). It will be like password holder (e.g. login / passwords for user specified sites)

It connects to remote psql database. And connection to the database stores in db.properties files.

What I would like:

  1. How could I 'hide' database connection from user who will unarchive my .jar package? (in worst case at least the password of the connecting user)
  2. Is there any way to prevent decompiling / debugging the file?
Improve this question

1 Answer 1

Reset to default
1

I recommend storing the DB credentials in an environment variable and having the source code read in the value.

This prevents having to store the credentials in source control or binaries but allows you to easily provision/change your secrets.

This has become a best practice included in "12 factor apps" and models the way Heroku and other hosting services manage application level config.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm reading 12 factor docs right now and I agree with you, but there is no security concern in make my database access' data become env vars?
Your application server must possess the database access credentials to run your application. Environment variables are no more or less secure than being stored on disk in a file. The best way to secure the database is to create a database user account with least privileges for the application to use.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.