胖客户端会话管理和安全性
[英]Thick client session management and security
问题描述
I want to develop a thick client app (instead of using jsp/server side) which I will provide a login panel upon launching of my app. 
我想开发一个胖客户端应用程序(而不是使用jsp / server端),我将在启动应用程序时提供一个登录面板。 I am not sure whether it is the correct approach (in terms of security) so would like some comments. 我不确定这是否是正确的方法(就安全性而言),因此需要一些评论。
Authentication will be through a back end database. 身份验证将通过后端数据库进行。 That is, I create the user at the database level and my thick client app will authenticate with database using the provided user id and password. 也就是说,我在数据库级别创建了用户,胖客户端应用程序将使用提供的用户ID和密码向数据库进行身份验证。 Is this method safe enough? 这种方法足够安全吗? or do I need a real session/password management api to do this? 还是我需要一个真正的会话/密码管理API来做到这一点?
How do I keep sessions in a thick client app like this? 如何将会话保持在像这样的胖客户端应用程序中? Also, if I want to encryption traffic between my app and the database server, should i just use JSSE or similar? 另外,如果我想对我的应用程序与数据库服务器之间的通信进行加密,我应该只使用JSSE还是类似的东西? Is there a way to encrypt data instead of the communication channel? 有没有办法加密数据而不是通信通道? I believe my database server need to also be able to decrypt my encrypted data. 我相信我的数据库服务器还必须能够解密我的加密数据。
1 个解决方案
解决方案1
1 已采纳 2015-03-28 04:08:09
I create the user at the database level and my thick client app will authenticate with database using the provided user id and password.
Yes, provided you do as follows: 是的,前提是您执行以下操作:
- Hash the password in the database, rather than encrypt it. 将密码散列到数据库中,而不是对其进行加密。
- Validate the user by querying the database
SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)通过查询SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)的数据库SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)来验证用户SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)or whatever hash algorithm you use.SELECT count(*) FROM USERS WHERE USERNAME=? AND PASSWORD=MD5(?)或您使用的任何哈希算法。 Note that this technique deliberately doesn't tell you whether the username or the password was wrong, so as to avoid any possibility of leaking that information to an attacker.请注意,此技术故意不会告诉您用户名或密码是否错误,以免将信息泄露给攻击者。 The idea is that it returns either 1 or 0. 这个想法是它返回1或0。
or do I need a real session/password management api to do this?
Not really. 并不是的。
How do I keep sessions in a thick client app like this?
If you mean a session that persists between logins, keep it in the database. 如果您是指会话在两次登录之间仍然存在,请将其保留在数据库中。 If you just mean a session that lasts between login and logout, just keep it in an object that is released on logout. 如果您只是希望会话在登录和注销之间持续,请将该会话保留在注销后释放的对象中。
Also, if I want to encryption traffic between my app and the database server, should i just use JSSE or similar?
Yes. 是。
Is there a way to encrypt data instead of the communication channel?
The database can do it with encryption functions. 数据库可以使用加密功能来做到这一点。
I believe my database server need to also be able to decrypt my encrypted data?
What encrypted data? 什么加密数据? If you mean the stuff transmitted over SSL, it will be decrypted automatically. 如果您是指通过SSL传输的内容,则会将其自动解密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.