How do I avoid having the database password stored in plaintext in sourcecode?

Question

In the web-application I\'m developing I currently use a naive solution when connecting to the database:

Connection c = DriverManager.getConnection(\"url\",          


        

Answer 1

Unless I am missing the point the connection should be managed by the server via a connection pool, therefore the connection credentials are held by the server and not by the app.

Taking this further I generally build to a convention where the frontend web application (in a DMZ) only talks to the DB via a web service (in domain), therefore providing complete separation and enhanced DB security.

Also, never give priviliges to the db account over or above what is essentially needed.

An alternative approach is to perform all operations via stored procedures, and grant the application user access only to these procs.