Our application reads login/password information to access the database and ftp servers in an xml file (so that they can be manually changed). The file is then packaged with the ear file before being deployed. This is clearly not secure. What is the best approach to securely store these credentials? I was thinking we could have an administration page for the application where the administrator can manage those passwords and store them in a safe place. Then the application server will be able to read them and use them to access the db and ftp servers.