A Hibernate configuration file deployed with the Hibernate Application. As a known fact, Hibernate.cfg.xml contains the database credentials which it uses to connect to the database layer. Now, if somebody plays with the config file, your application completely crashes.
Considering this, i was asked to look for something that could be used to encrypt the Hibernate config file, which would make the confidential information secure. After several days of search on the net, I got the solution.
I would be using jasypt (Java Simplified Encryption) libraries, which supports Encryption for all sorts of framework.
Add the libraries jasypt-1.9.0.jar and jasypt-hibernate3-1.9.0.jar (if using hibernate 3), use jasypt-hibernate4-1.9.0.jar if using hibernate 4 instead. to your classpath.
Now, add the following two lines to your hibernate config file.
<property name="connection.provider_class">
org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider
</property>
<property name="connection.encryptor_registered_name">
configurationHibernateEncryptor
</property>
This adds the jasypt encrypted connection providers to the hibernate file. You also need to register the encriptor. I have used the generally accepted name configurationHibernateEncryptor.
Having done this, you then need to pass the encrypted passwords to the file.
Eg,
<property name="hibernate.connection.password">ENC(dNk7whU8eOdkYPZjRyCUyg==)</property>
How to get the encrypted passwords.??
In the jasypt download, you will get the following structure
jasypt->apidocs
-> bin
-> lib
Inside bin there will a batch file encrypt.bat. Ensure that your java path is well set in the environment variable.
run the batch file,
You need to pass the text which you need to encrypt and the password. Note the output, replace this above instead of the plain text.
Next, in the HibernateUtil file, add the following lines
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setAlgorithm("PBEWithMD5AndDES");
encryptor.setPassword(root);
HibernatePBEEncryptorRegistry registry = HibernatePBEEncryptorRegistry.getInstance();
registry.registerPBEStringEncryptor("configurationHibernateEncryptor", encryptor);
This will register the configurationHibernateEncryptor which we named in the Hibernate config file.
That's all, you have just made the hibernate.cfg.xml password safe.
Bhavin
Considering this, i was asked to look for something that could be used to encrypt the Hibernate config file, which would make the confidential information secure. After several days of search on the net, I got the solution.
I would be using jasypt (Java Simplified Encryption) libraries, which supports Encryption for all sorts of framework.
Add the libraries jasypt-1.9.0.jar and jasypt-hibernate3-1.9.0.jar (if using hibernate 3), use jasypt-hibernate4-1.9.0.jar if using hibernate 4 instead. to your classpath.
Now, add the following two lines to your hibernate config file.
<property name="connection.provider_class">
org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider
</property>
<property name="connection.encryptor_registered_name">
configurationHibernateEncryptor
</property>
This adds the jasypt encrypted connection providers to the hibernate file. You also need to register the encriptor. I have used the generally accepted name configurationHibernateEncryptor.
Having done this, you then need to pass the encrypted passwords to the file.
Eg,
<property name="hibernate.connection.password">ENC(dNk7whU8eOdkYPZjRyCUyg==)</property>
How to get the encrypted passwords.??
In the jasypt download, you will get the following structure
jasypt->apidocs
-> bin
-> lib
Inside bin there will a batch file encrypt.bat. Ensure that your java path is well set in the environment variable.
run the batch file,
 |
| Fig. 1 Encryption using a command line application |
You need to pass the text which you need to encrypt and the password. Note the output, replace this above instead of the plain text.
Next, in the HibernateUtil file, add the following lines
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setAlgorithm("PBEWithMD5AndDES");
encryptor.setPassword(root);
HibernatePBEEncryptorRegistry registry = HibernatePBEEncryptorRegistry.getInstance();
registry.registerPBEStringEncryptor("configurationHibernateEncryptor", encryptor);
This will register the configurationHibernateEncryptor which we named in the Hibernate config file.
That's all, you have just made the hibernate.cfg.xml password safe.
Bhavin
hi, thank you for your post, i just follow your tutorial and i have a question, which one is the HibernateUtil file???
ReplyDeleteMore details here:
ReplyDeletehttp://www.jasypt.org/hibernate.html
I have the same doubt of Alonvico. Is HibernateUtil.java or have another extension?
ReplyDeleteWhere do I need to put the HibernateUtil file? How may I call the file, if it is needed to call it?
I visited http://www.jasypt.org/hibernate.html, but it is not clear for me neither.
Kind regards,
Luis A