Skip to main content

A simple utility

Posted by tchangu on February 25, 2006 at 9:26 PM PST

Often we see code like this.

   Connection conn = DriverManager
.getConnection("jdbc:mysql://localhost/springdao?user=vk&password=password");

As it can be seen above, the password is embedded in the source as clear text. No corporate risk management folk would approve of exposing passwords, which could potentially expose access to sensitive data. Of course there are many solutions that would fix this issue by combining technology and process. Here is a partial solution that addresses technology by extending the IDE and by using Java 5 Annotations. Of course, to make the solution complete, one needs to define process that defines a clear separation of responsibility (who does what).

Here is how this spartan scheme works. First declare an annotation for DB Credentials.

   @Retention(RetentionPolicy.RUNTIME)
   @Target(ElementType.METHOD)
   public @interface DbCredentials {
      String userId();
      String password();
   }

Next, make use of the annotation in the connect method. In this method the process of creating connection to the resource is delegated to the ConnectionManager.

   @DbCredentials(userId="vk", password="password")
   public void connect2(){
      try {
         Connection conn = ConnectionManager.makeMysqlConnection(this);
      } catch (SecurityException e) {
          e.printStackTrace();
      } catch (...)
   }

The password is still in clear text. Encrypt this using a simple encrypt Eclipse plug-in. Heres how it works. In this simplistic scheme symmetric key is used to encrypt and decrypt. Of course one could use asymmetric key cryptography (public/private key cryptography) in conjuction with clear seperation of responsibilities in order to make such schemes bullet proof

Encrypt.jpg

   @DbCredentials(userId="vk", password="05a62e06333d15418a57fff85bacc13c")
   public void connect2(){
      try {
         Connection conn = ConnectionManager.makeMysqlConnection(this);
      } catch (SecurityException e) {
         e.printStackTrace();
      } catch (...)

Once this is done, during runtime, the connection manager, reads the annotated value of password, gets the key and decrypts. After this is done, connection is made to the requested resource.

   ...
   DbCredentials utAnnotation = amethod.getAnnotation(DbCredentials.class);
   if ( utAnnotation != null ){
     userId = utAnnotation.userId();
     password = utAnnotation.password();
   }
   ...
   Class.forName("com.mysql.jdbc.Driver");
   Connection conn = DriverManager
              .getConnection("jdbc:mysql://localhost/springdao?user="
                              + userId + "&password=" + enc.decrypt(password));
   ...  

Now, in order to extend the eclipse platform one needs to create a plug-in project. In this case, we are interested in implementing a popupMenu. After going through the wizard process, the plug-in that gets generated is and the source code for EncryptAction is

   <?xml version="1.0" encoding="UTF-8"?>
   <?eclipse version="3.0"?>
   <plugin>
      <extension
            point="org.eclipse.ui.popupMenus">

         <viewerContribution
               targetID="#CompilationUnitEditorContext"
               id="com.test.encrypt">
            <action
               label="Encrypt"
               class="com.test.encrypt.EncryptAction"
               menubarPath="additions"
               id="com.test.encrypt">
            </action>
         </viewerContribution>
      </extension>
   </plugin>
   import ***;
   public class EncryptAction extends ActionDelegate implements IEditorActionDelegate {
      private IEditorPart editor;
     
      public void run(IAction action) {
         try {
            if (editor instanceof ITextEditor) {
               LocalEncrypter encrypter = new LocalEncrypter();
               TextSelection selectedText = (TextSelection) editor.getEditorSite()
                                           .getSelectionProvider().getSelection();
               String strSelectedText = selectedText.getText();
               int iCursorPosition = selectedText.getOffset();
               IDocument doc = ((ITextEditor) editor).getDocumentProvider()
                                             .getDocument(editor.getEditorInput());
               if (doc != null) {
                  try {
                     doc.replace(iCursorPosition, selectedText.getLength(),
                                               encrypter.encrypt(strSelectedText));
                  } catch (BadLocationException e) {
                     e.printStackTrace();
                  }
               }
             }
          } catch (Exception e) {
             e.printStackTrace();
          }
}

public void setActiveEditor(IAction action, IEditorPart editor) {
this.editor = editor;
}

public void selectionChanged(IAction action, ISelection selection) {
}
     }

Enjoy!! If you need complete source code including the plug in, send me an email

I next want to spend some time on the new NetBeans 5.5 and try sometime similar ;)

Related Topics >>