堆栈内存溢出
  简体   繁体   English

你在哪里存储数据库密码?

[英]Where do you store database passwords?

 原文  2011-02-03 22:19:17       java/ security/ password-protection

问题描述

What are ways of getting database and other service passwords out of your code? 从代码中获取数据库和其他服务密码的方法有哪些? I've read about using per server properties files but when you have a large number of servers it gets to hard to maintain. 我已经阅读了有关使用每个服务器属性文件的信息,但是当您拥有大量服务器时,它很难维护。 I've also seen a solution using a CI's build process to "inject" passwords but that makes it difficult to update the password on-the-fly. 我还看到了使用CI的构建过程“注入”密码的解决方案,但这使得很难即时更新密码。

Some requirements to help narrow the field of answers... 一些要求有助于缩小答案范围......

  1. The password should be easy to change and propagate in the event of a security breach. 在发生安全漏洞时,密码应易于更改和传播。
  2. Password can not appear in code (due to point 1) 密码不能出现在代码中(由于第1点)
  3. It should be "non trivial" for a human to get a plain-text version of the password 对于人来说,获取密码的纯文本版本应该是“非常重要的”
  4. Should work well in the web application and stand alone applications 应该在Web应用程序和独立应用程序中运行良好
  5. Easy to adopt from a application developer standpoint 从应用程序开发人员的角度来看,易于采用

Some nice-to-haves include not introducing a single point of failure, a quick development time, and easy to understand. 一些好处包括不引入单点故障,快速开发时间和易于理解。

This is similar in spirit to this question but with an strong emphasis on maintainability and focuses more on the server side case. 这与此问题的精神相似,但强调可维护性,更侧重于服务器端案例。

3 个解决方案

解决方案1
 7 已采纳  2011-02-03 22:25:48

You could store it in plain text in a file in a protected directory that can only be read by the account in which the application is run. 您可以将其以纯文本格式存储在受保护目录中的文件中,该文件只能由运行该应用程序的帐户读取。 In case of a web application, you should always store the password outside the web root folder. 如果是Web应用程序,则应始终将密码存储在Web根文件夹之外。

解决方案2
 1  2011-02-03 22:27:41

If you use a database connection pool then the username, password and other database details are generally managed in the Java Web Container and presented to the Java code as a Datasource. 如果使用数据库连接池,则通常在Java Web容器中管理用户名,密码和其他数据库详细信息,并将其作为数据源呈现给Java代码。 You just ask for a Database connection without having to know any of these details. 您只需要数据库连接,而无需了解任何这些详细信息。

解决方案3
 0  2013-07-10 05:42:35

In addition to storing it in a text file outside web root, how about using encryption? 除了将其存储在Web根目录外的文本文件中之外,如何使用加密? With most languages, it's pretty trivial to use an encryption method and, though it might not be strictly necessary to protect from web attacks, it makes it more difficult for another person who may gain access to the file on your system. 对于大多数语言来说,使用加密方法非常简单,虽然可能不是绝对必要的,以防止网络攻击,但是对于可能访问系统上文件的其他人来说更加困难。 Additionally, a bit of obfuscation, disguising the file as something else with a boring name that will be likely overlooked, makes it less likely that someone will find it even in the event they have physical access to the server. 此外,有些混淆,将文件伪装成可能被忽略的无聊名称的其他内容,使得即使在他们有物理访问服务器的情况下,也不太可能找到它。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java在哪里存储记住的HTTP基本身份验证密码,以及如何删除它们? - Where does Java store remembered HTTP basic auth passwords and how do you delete them? 如何在数据库中存储密码? - how to store passwords in database? 您在哪里存储JPopupMenu的逻辑? - Where do you store the logic for a JPopupMenu? 通过Java在Windows中的密码存储位置 - Where to store passwords in Windows via Java 您将数据库字段名称放在哪里? - Where do you put the database field names? 将多个密码存储到数据库的最佳方法 - Best way to store multiple passwords into Database 你在哪里存储静态数据前端或后端? - Where do you store static data frontend or backend? 传统上,你在哪里存储Java .class文件? - Where do you store Java .class files, conventionally? 您是否需要数据库来存储 java 桌面应用程序中的数据? - Do you need a database to store data in a java Desktop Application? Java如何使用首选项API?这些变量存储在哪里? - Java How do you use the preference API? Where do these variables store?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM