If a datasource contain confidential information, i feel better not to specify username/password in the datasource configure file and request the application to provide this information when getConnection(). By doing this, just getting the JNDI name of the datasource cannot retrieve information from the database.
If the datasource is used by CMP entity bean, can i still leave out the username/password in datasource definition? (if yes, please inform me how?) or i must use BMP ?