This is a lab exercise on developing secure software. For more information, see the introduction to the labs.
Please eliminate the hardcoded credentials in the sample code.
In this exercise, we'll remove a hardcoded credential (in this case a password) embedded in the code.
Please change the Java code below to eliminate hardcoded credentials. The code logs in to a database system, but uses the hardcoded username "admin" with hardcoded password "admin". At the very least, the password should not be exposed by being hardcoded into the source code. A credential that needs to be kept secret, like a password, is too exposed and too hard to change when it's hardcoded into the code. It would also be wiser to not hardcode the username, since the username might change.
For our purposes, we'll modify the code to retrieve the username and password as environment variable values. The username (second parameter) will be in environment variable USERNAME while the password (third parameter) will be in environment variable PASSWORD. In Java the expression System.getenv("FOO") retrieves the value of environment variable FOO.
Environment variables aren't a perfect solution, since they are typically accessible to the entire program. Other better mechanisms may be available on your platform. In this example we'll use environment variables because they're portable, easy to use, and certainly better than using a hardcoded credential. Note: Java also supports including the username and password in the url, but for purposes of illustration we will not use that alternative.
Use the “hint” and “give up” buttons if necessary.
Please modify the Java code below to eliminate the hardcoded password and the hardcoded username.