Java Safely Store Personal Data in Distributed Application
Question
Let's say I'm writing a Java application that connects to a database to authenticate a user before allowing the application to run. I need to store the URL of the database, the username, password, and database name. Obviously, anyone could decompile the application and see the information and use it against me. Even obfuscation wouldn't work. How could I safely hardcode personal information into a Java program?
NOTE: This is a hypothetical, so please don't tell me anything specific to database info storage.
3 answers
solution1
1 2013-10-21 15:02:13
You can't. It is impossible to totally hide informations you give, since you need to use it and thus, to find it.
If you really don't want to give an access-limited username and password, then don't use remote database connection. Instead, you could send the user entered login and password to a server application, that would read query your database.
solution2
0 2013-10-21 15:01:54
How about using a public key to encrypt the login data and saving it to your java program A, which is shared with other people. A transmits the encrypted data to program B (B is kept private on a secure server); B uses your private key to decrypt the information and autentificates program A to connect to the DB.
solution3
0 2013-10-21 15:57:06
I think a good way is to split application presentation and logic. Application presents only data, that are retrieved using public exposed functions as may be web services or API, or whatever logic you want which is following a Façade_pattern (service facade or session facade).
This can be easily obtained by using for example RMI or EJB. In the logic part you connect to database/xml on disk/your phone/whatever, but this will be done on a machine which is not reachable from outside, if not for remote calls.
Between your client(presentation which can be a java program, a web site, a phone application) and the logic(which is on your server) there may be a firewall or what ever protection you want. By the way on server side you can encrypt data in your EJB(which accesses the database), but it won't be shown externally.
I mean that's the good part of not knowing how things are implemented, the client doesn't know what the remote methods is doing, it just takes data back and that's all.
I think that expanding a bit this concept it may work, this is just a rough idea.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.