In a client-server application: How to send to the DB the user's application password?

Question

I have an Java desktop application which connects directly with the DB (an Oracle). The application has multiple user accounts. What is the correct method to send the user's password (not DB password) over the network? I don't want to send it in plain text.

Answer 1

You could connect over a secure socket connection, or hash the password locally before sending it to the database (or better, both) - Ideally, the only time the password should exist in plain text form is prior to hashing. If you can do all of that on the client side, more the better.

Answer 2

You can use SSL connection between Oracle client and Oracle database. To configure SSL between oracle client and server using JDBC:

At server side:

1) First of all, the listener must be configured to use the TCPS protocol:

LISTENER = (ADDRESS_LIST= (ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484)))

WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/server/wallet/path/)))

At client side:

1) following jars needs to be classpath ojdb14.jar, oraclepki.jar, ojpse.jar

2) URL used for connection should be:

jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=servername)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))

3) Following properties needs to be set (either as System property (-D options) or properties to connection)

javax.net.ssl.trustStore, 
javax.net.ssl.trustStoreType, 
javax.net.ssl.trustStorePassword

Reference: http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/wp-oracle-jdbc_thin_ssl_2007.pdf