SourceForge has been redesigned. Learn more.

#65 Ability to enter password from within schemaSpy


The requirement to include a password as a command-line switch is a huge security risk.

Especially as SchemaSpy can take several minutes to run on a large database, this requirement allows any user on the system to execute a simple ps and immediately be provided with all of the login details to the database - including a password. As many users may be running with elevated privileges, in order to ensure they have the entire schema, this is a very serious potential exposure.

SchemaSpy should allow for the user to submit a command line and then subsequently prompt the user for the password. This same behavior can be seen in most every database administration tool.


  • John Currier

    John Currier - 2010-06-28

    There's currently a -connprops option that can be used to point to a file of key=value pairs containing a password=mypassword entry. That file would obviously need to be protected. Note that the file you point to can be something like /dev/con (the console) that would be terminated by a Ctrl+D or F6 (depending on your OS). This approach, however, will show the password as you type it.

    Another approach (as suggested) would be to add a -pfp (prompt for password) switch. Java doesn't natively support masking of passwords typed from the command line, so some additional work would be required to make that happen.

  • John Currier

    John Currier - 2010-06-28
    • assigned_to: nobody --> johncurrier
  • John Currier

    John Currier - 2010-07-20

    A new -pfp (prompt for password) flag has been added in revision 579 (beta available at\). If running in a Java6 or later JVM it will take advantage of the Console classes for getting the password. If the Console classes aren't available a home-grown implementation is used.

    Let me know if you run into any issues with it.


  • John Currier

    John Currier - 2010-08-17

    Implemented in Release 5.0.0.

  • John Currier

    John Currier - 2010-08-17
    • status: open --> pending
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

  • SourceForge Robot

    • status: pending --> closed

Log in to post a comment.