I am not a Java developer, but my client hired him to update some JAR files on his site. Before that, we conducted an audit of existing code and discovered a number of security vulnerabilities. One of the solutions that we used to ensure file security is to create a new database user with read-only access to the database and only for those tables that are necessary for JAR files to work. Then I found out that they store these credentials in text files along with JAR files, but only in the form of educated guessing from a wide audience. And finally, today they are asking for much weaker privileges for the database, but I don’t think she understands that she really doesn’t need them for a correctly written JAR file.
In any case, I am sure that this developer will not know the security vulnerability if she bites it on the back. And I don't know enough about Java / JAR files to properly advise her what she should do, only enough information about infosec to tell her what she shouldn't do.
So, what are typical security considerations when writing a distributed JAR file that connects to a remote MySQL database? Is there a standard way to encrypt connection information (username and / or password)? IIRC, are not .jar files, simply glorified by ZIP archives, and no one could unzip the file and view the connection information in the source code? Is there a way to encrypt the contents of a jar file?
UPDATE: I received clarifications from the developer. Does this sound right?
jar encrypoted. jar. [] , . . jdbc db, eangine sqls. sqls jar.
, , . /decription java . reoutine. Java Retroguard . html, , , - []. , .