我使用以下代码来初始化数据库连接:
public Connection getConnection() {
try {
if (null == connection) {
String driverName = "com.mysql.jdbc.Driver"; // MySQL MM JDBC driver
Class.forName(driverName);
// Create a connection to the database
String serverName = "localhost";
String database = "database";
String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
String username = "username";
String password = "password";
connection = DriverManager.getConnection(url, username, password);
}
return connection;
} catch (ClassNotFoundException cnfe) {
cnfe.printStackTrace();
} catch (SQLException sqle) {
sqle.printStackTrace();
}
throw new NullPointerException("Cannot establish database connection...");
}
我知道这样做是不好的做法,我也跑了FindBugs
违反代码,并得到安全问题,内容如下:This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password.
在不出现这种安全漏洞的情况下初始化数据库连接的最佳方法是什么?
从属性文件或 LDAP 或类似的密码中读取密码,并仅对用于运行软件的帐户进行安全访问(任何开发人员都不应有权访问)。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)