This is not generally a security concern, since if an attacker can read this file he has already compromised your system. However, if you're concerned about this anyway, use JNDI-based configuration instead, or use the server-side Config class to inject the credentials dynamically after loading them some other way.
I understand what you are saying about the issue mute once someone already gotten to the config file. But our security group will not bless my app unless the password is hashed up somehow. Can you show me how to do the later approach?
I think something like what Hibernate did with Jasypt. I got that to work. I just need to find out where I can inject the connection password.