How to avoid storing passwords in the clear for tomcat’s server.xml Resource definition of a DataSource?

As said before encrypting passwords is just moving the problem somewhere else.

Anyway, it’s quite simple.
Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords.
Encrypt your password in Tomcat’s configuration file (server.xml or yourapp.xml…) using this class.

And to decrypt the password “on the fly” in Tomcat, extend the DBCP’s BasicDataSourceFactory and use this factory in your resource.

It will look like:

    <Resource
        name="jdbc/myDataSource"
        auth="Container"
        type="javax.sql.DataSource"
        username="user"
        password="encryptedpassword"
        driverClassName="driverClass"
        factory="mypackage.MyCustomBasicDataSourceFactory"
        url="jdbc:blabla://..."/>

And for the custom factory:

package mypackage;

....

public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {

@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
    Object o = super.getObjectInstance(obj, name, nameCtx, environment);
    if (o != null) {
        BasicDataSource ds = (BasicDataSource) o;
        if (ds.getPassword() != null && ds.getPassword().length() > 0) {
            String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
            ds.setPassword(pwd);
        }
        return ds;
    } else {
        return null;
    }
}

Hope this helps.

Leave a Comment