On Feb 12, 2016 3:19 PM, "Dougherty, Gregory T., M.S." < dougherty.greg...@mayo.edu> wrote: > > On 2/12/16, 3:08 PM, "Leo Donahue" <donahu...@gmail.com> wrote: > > > >On Feb 12, 2016 2:58 PM, "Dougherty, Gregory T., M.S." < > >dougherty.greg...@mayo.edu> wrote: > >> > >> The web app needs a DB password so it can connect to the DB. > > > >I disagree that the web app needs a password. > The web app has to be able to read and write to the DB. That takes a > password.
No, javax.sql.DataSource needs a password. Your web app just needs a user name. Your custom data source will fetch a password. > > > >> How does the Web app get access to the DB, without saving within the web > >> app anything that someone else could also use to get access to that DB? > >> > > > >Implement your own data source. > > How does the web app connect to the data source? How does the data source > know that this web app, unlike every other web app in existence, is > allowed to access the data source? > > For that matter, how do I set up the data source (whose every element is > checked into the source code control system that a malicious user may have > access to) so that it knows the passwords of interest? > > That leaves aside the issue that the web app is a production web app, > which means it can¹t rely on a non-production data source, which means I > can¹t set up my own data source. But even if I could, all the other > problems still apply. > -- A. You don't get to manage your passwords. B. The suggestion I'm giving you requires coordination with sys admins and DBA's. It is more than just a simple app trying find a way to hide passwords, none of which will "ever" be in source control. Leo
