Credentials for Application use

[Mikey <mike_chan_ () hotmail com>]

This is a broad question around the current practices and recommendation of 
what not to do when it comes to credentials used by applications to gain 
access to a resource or data stored elsewhere.

As an example, I have some middleware components that need to gain access 
to a data repository that contains sensitive information. The middleware 
components and data repository reside in separate, distinct security 
boundaries protected by differing authentication and access control mechanisms.

Application developers insists the only way to gain access to the data 
repository is to create a set of credentials for the repository that only 
they can use. But because the middleware components are using it, there is 
no requirement for a user to enter those credentials in order to 
authenticate usage. I guess I wouldn't want the users to know the details 
of this set of credentials either.

Short of creating a user credential for each user accessing the application 
on the data repository side, they insist that they need to store the userid 
and password in a static format somewhere on the middleware server. For 
example, a configuration file or some part of the operating system.

Is there a best practice guideline for this scenario? What have other 
people in the same situation been doing here?