Re: [Hsqldb-user] Hiding database structure/logins from users

[fredt <fr...@us...>]

Strings in CACHED tables can be read as they are encoded in UTF-8. You
should be able to remedy the perceived lack of security by encoding the
lines that are written to the *.script file and later read from it by
modifying two methods of StringConverter.java (UnicodeToAscii and
AsciiToUnicode). Just avoid using non ascii and control characters in the
encoded form. BASE64 is a suitable example.

I offered a similar tip a while back to someone who asked the same question
in the Help forum. It is always worth doing a search on both this list's
archives and the forums.

Fred Toussi
 ______________

Geoff Beaumont wrote:

This may be a 'simple can't be done', but on the off chance that there
is a way of doing this...

Is there any way of setting the system tables to be cached, so that the
information contained in the database.script file is stored in a non
human readable format?

I'm aware that this doesn't significantly increase the security of the
system - the two issues from my point of view are:
- the ability of the user to edit the database.script file, almost
  certainly breaking the system the database is part of.
- the potential for users to conclude that the system is insecure
  because the passwords are stored in plain text (why, incidentally?)

A word in explanation - I'm using HSQLDB as an embedded database in a
Java application - the database files are stored on the users machine,
and necessarily have full read/write permissions for the user.

Without having actually looked at the source code, I'm thinking that it
would be reasonably easy to add a one way hash to the password handling
methods, possibly to the username too (although that's probably of no
real benefit). Would there be any catches if I did this?

Obscuring the database structure strikes me as considerably more
complex, unless there's an easy way to do this that I'm missing. Hmm,
that probably qualifies as a statement of the bleeding obvious...