Configuring hibernate with encrypted password in JPOS

42 views
Skip to first unread message

Puneeth S B

unread,
Jul 14, 2025, 8:11:09 AMJul 14
to jpos-...@googlegroups.com
Hi Team,

I'm a newcomer to jPOS and currently working on a task that involves securing configuration credentials, specifically removing the hard-coded database password from the db.properties file.
The property file currently looks like this:
hibernate.connection.password=mypassword

I've referred to the official documentation here: jPOS Configuration Tutorial, which explains concepts around obfuscation and the obf utility. However, I'm still unclear on how to properly integrate this with hibernate so that it securely decrypts the password at runtime.

Could you kindly guide me on how to implement this securely? Any examples, best practices, or relevant points would be truly appreciated.

Thanks & Regards,
Puneeth S B

Andrés Alcarraz

unread,
Jul 14, 2025, 10:08:47 AMJul 14
to jpos-...@googlegroups.com

Hi Puneeth, welcome to the jPOS users list.

If you are using jpos DB to access hibernate, all you have to do to obfuscate the password is to get an obfuscated value by running:

q2> obf mypassword
obf::aji0cwAAABXjIDkTc/RwOziQL3vsNCqxg49sa2hM9lz4+smcKvQlaZXPOv8=

And then just put that returned value in the db.properties file, e.g., if the line looked like this:


hibernate.connection.password=mypassword

Then, all you need to do is to replace it by:

hibernate.connection.password=obf::aji0cwAAABXjIDkTc/RwOziQL3vsNCqxg49sa2hM9lz4+smcKvQlaZXPOv8=

If you are using hibernate in another way, you would somehow need to call Environment.getProperty() before passing the properties to hibernate if you want to use this jPOS support for that.

That said, keep in mind that obfuscation is just that, obfuscation, not encryption nor secure. It just hides the password from being displayed in plain, but anyone with jPOS sources will be able to get the original value, just as jPOS does.

I will leave the best practices part to people with more practical experience in this matter.

Andrés Alcarraz
--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jpos-users/CAAirsO%2Bb3Vjfep54uf0s2T9sFav6OMQ%3Dm_uuianiwX%2B6X%2BBisQ%40mail.gmail.com.

Puneeth S B

unread,
Jul 16, 2025, 6:01:42 AMJul 16
to jpos-...@googlegroups.com
Hi Andrés Alcarraz,

Thanks for your warm welcome and for detailing the obfuscation approach.

I followed the exact steps you mentioned, generating the obfuscated password via the Q2 CLI and replacing it in db.properties as below,

hibernate.connection.password=obf::ajiocwAAABXjIDkTc/RwOziQL3vsNCqxg49sa2hM9lz4+smcKvQlaZXPOv8=

We're using jPOS's built-in class for Hibernate, no custom session initialization or manual configuration overrides. Yet, the obfuscated password doesn't seem to get resolved internally, and I keep getting access denied errors when attempting to connect. If I switch to the plain-text password, everything works as expected.

Just wanted to check if there might be something I'm missing - perhaps an environment set-up details or a way to confirm that db.properties is being parsed correctly by jPOS?

Happy to share any additional logs, configs or runtime info if that helps clarify the issue.

Regards,
Puneeth S B


To view this discussion visit https://groups.google.com/d/msgid/jpos-users/76b6ec77-93ea-4535-a5bd-149bf6119a96%40gmail.com.

Andrés Alcarraz

unread,
Jul 16, 2025, 7:10:16 AMJul 16
to jpos-...@googlegroups.com

If you could share a toy repository or zip file where you just configure a known simple password, and a script to create the db we could try to replicate the issue.

But for now, I noticed you entered the exact obfuscated text that I shared to you, which does not correspond to mypassword. I just copied it from the tutorial, which used mySuperSecurePassword, but I can not confirm it is the associated password, can you describe the exact steps you followed?

Andrés Alcarraz

murtuza chhil

unread,
Jul 16, 2025, 8:00:25 AMJul 16
to jPOS Users
Not trying to muddy the waters, do look at some older discussions


-chhil

Alejandro Revilla

unread,
Jul 16, 2025, 12:35:10 PMJul 16
to jpos-...@googlegroups.com
In db.properties you need to put:

In cfg/db.properties you can use something like this: 

hibernate.connection.password=${db.password}

Then you set the obfuscated (or HSM-encrypted) value in cfg/default.yml, or in a DB_PASSWORD environment variable.



To view this discussion visit https://groups.google.com/d/msgid/jpos-users/7a7fe79f-4d1e-4c95-816b-9a8e2024fe20n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages