堆栈内存溢出
  简体   繁体   English

如何使用Java小程序安全地与数据库通信

[英]How to securely communicate with a database using a java applet

 原文  2010-03-26 08:21:45       java/ database/ security/ applet

问题描述

I have been writing web applications for quite sometime in PHP with MySQL. 我一直在用MySQL用PHP编写Web应用程序。 I always stored my database connection information into a configuration variable and connected to the database that way. 我总是将数据库连接信息存储在配置变量中,并以此方式连接到数据库。

A client wants a java applet for their website to communicate with their database. 客户端希望Java小程序为其网站与数据库通信。 I'm very hesitant on this because the applet is going to be public and I am not sure how I would go about storing the database connection information. 我对此非常犹豫,因为该applet将要公开,并且我不确定如何存储数据库连接信息。

I'm paranoid that someone would decompile my application or find some way to extract my database connection information and use it maliciously. 我很担心有人会反编译我的应用程序,或者找到某种方法来提取我的数据库连接信息并恶意使用它。

Any suggestions on how to do this securely? 关于如何安全地执行此操作的任何建议?

3 个解决方案

解决方案1
 5 已采纳  2010-03-26 08:30:54

Just to clarify, you're not too worried about the connection being "overheard", you're worried that somebody might hack open your applet and pull out the database connection details, right? 只是为了澄清一下,您不必太担心连接被“窃听”,您担心有人会黑客打开您的applet并提取数据库连接详细信息,对吗?

Well I would probably not let it connect directly and instead have it talk to a web-app that returned the data in JSON/XML. 好吧,我可能不会让它直接连接,而是让它与以JSON / XML返回数据的Web应用程序对话。 People can still grab that from within your applet if they really want to but they're limited to what the web-app can. 人们仍然可以从您的applet内获取这些信息,但仅限于网络应用程序可以提供的功能。

If that doesn't float your boat, make sure that the database user the applet uses is limited to doing only what it needs to. 如果那不能解决问题,请确保该applet使用的数据库用户仅限于仅执行所需的操作。 If it's just pulling data, don't give it insert permission. 如果只是提取数据,请不要授予插入权限。

If you're only doing writes, another option is to have a public database and a private database. 如果您仅在执行写操作,则另一个选择是拥有一个公共数据库和一个私有数据库。 Writes from your applet go into the public DB and get synced over once verified. 小程序中的写入将进入公共数据库,并在经过验证后立即进行同步。 The problem with this is you might lose some built-in checks and relationships unless you keep a copy of all the data in the public DB - which may not be safe. 这样做的问题是,除非您在公共数据库中保留所有数据的副本,否则您可能会丢失一些内置的检查和关系-这可能并不安全。

Another option could be to give each user their own database user. 另一种选择是给每个用户自己的数据库用户。 Then if somebody unauthorised were to get the applet, they'd still need an account to get in. 然后,如果有人未经授权获得小程序,他们仍然需要一个帐户才能进入。

I think that building an intermediary web-app is probably your best bet but I don't know the full scenario, so I'm not best placed to judge. 我认为构建一个中介Web应用程序可能是您最好的选择,但我不了解全部情况,因此我没有最佳的判断力。

解决方案2
 1  2010-03-26 08:33:05

I would suggest to have an applet which communicate with the website. 我建议有一个与网站进行通讯的小程序。 Which itself communicate with the database. 本身与数据库通信。

解决方案3
 1  2010-03-26 08:40:43

This is a trusted client problem, without looking to deep into JDBC regarding authentication extensions on top of the standard JDBC connections credentials, I suggest that you wrap all requests through your own DB layer. 这是一个受信任的客户端问题,无需在标准JDBC连接凭据的基础上深入研究有关身份验证扩展的JDBC,建议您通过自己的DB层包装所有请求。

I have actually implemented a JDBC wrapper using Ajax where the client issues direct SQL statements from within JS to a Servlet which translates those into DB requests, I implemented update and query and the whole implementation is less than 300 lines Java Servlet code and 60 lines of JS code. 我实际上已经使用Ajax实现了JDBC包装器,其中客户端将直接SQL语句从JS内发出到Servlet,然后将这些语句转换为DB请求,我实现了更新和查询,整个实现少于300行Java Servlet代码和60行JS代码。

The solution does not include any authentication but that is easily added on top of the HTTP layer. 该解决方案不包含任何身份验证,但可以轻松添加到HTTP层的顶部。 Anyway you have a trusted client problem, it does not solve the problem where a hacked client can access the whole database schema outside any predefined or specified use cases, eg: 无论如何,如果您遇到受信任的客户端问题,它都无法解决被黑客入侵的客户端可以在任何预定义或指定用例之外访问整个数据库架构的问题,例如:

select * FROM records

Instead of the backend request: 代替后端请求:

SELECT id, data, val, ... FROM records WHERE userid = ...

Which only selects the records that was created by the authenticated user. 仅选择通过身份验证的用户创建的记录。 The only way to ensure that security is maintained is to only access the DB through predefined data retrieval/modification methods. 确保安全性的唯一方法是仅通过预定义的数据检索/修改方法访问数据库。 Otherwise the security and data isolation must be enforced by the Database itself, Read "expensive big O database" :) 否则,安全性和数据隔离必须由数据库本身来实施,请阅读“昂贵的大O数据库” :)

My 400 line JS/Java example above is used in a test system for in house usage only. 我上面的400行JS / Java示例仅在内部使用的测试系统中使用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 html 页面中嵌入的小程序与数据库通信 - Using an applet embedded in html page to communicate with database Java:如何从本地Java桌面应用程序与Java Applet通信? - Java : how to communicate from localhost Java desktop application to Java Applet? 如何在Java客户端和CodeIgniter服务器之间安全地通信? - How can I securely communicate between a Java Client and CodeIgniter Server? 使用jssc和java applet与JS进行串行通信,但浏览器冻结 - using jssc and java applet to communicate to Serial with JS but browser freezes 如何在浏览器和Java Web Start applet之间进行通信 - How to communicate between browser and Java Web Start applet 从签名的Java小程序安全地请求网页 - securely requesting webpage from signed java applet 如何使用小程序连接到数据库 - How to connect to database using an applet 使用Java Applet访问本地客户端数据库 - Access a local client database using Java Applet 使用 CA 证书是否足以与 SSLServerSocket 进行安全通信? - Is using a CA certificate enough to communicate securely with an SSLServerSocket? 如何将MS Access数据库连接到Java Applet - How to connect MS Access database to Java Applet
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM