stackoom
  简体   繁体   中英

How to secure password for SQL Server login from a java form application

 原文  2012-05-21 20:28:01       java/ .net/ sql-server/ security

Question

I am making a Java based form desktop app, a mini login form, that will be able to login into a grand system which is online in asp.net. The purpose of this app is to install on pcs, and whereever this exe is installed, the website could be logged in, other wise not. The problem is, i have put the connection string of sql server in it, and employees will install this app on their machines, there is a tool available which decompile JAR and classes. And when i checked my classes in it, it was showing my sql server password. And it can give a chance to them to hack this app, this is really dangerous for us to provide them or give them a chance to get sql server password. Can you please help, is there any such solution that i could give MD5 encrypted password or some encrypted password in connection string and sql server could be able to understand it.
Thanks

2 answers

solution1
 1 ACCPTED  2012-05-21 22:57:05

There are a few ways you can handle this.

  1. the user info in your connection string should be limited to execute exactly one procedure: the one that tests if the MAC address is valid. This limits exposure. Not in an ideal way, but it's something.

  2. Don't send a connection string at all. Instead have the java application post the mac address to a web service. The service should connect to the database server to determine authorization. Better than option 1.

  3. Even better: Don't rely on MAC addresses. If you are worried that someone will look at the connection string then it stands to reason they might change their MAC address to mimic another machine. It stands to reason that anyone familiar enough to directly connect to a database server will also be familiar enough to download one of the many freely available tools to spoof their MAC.

Which leads to a comment: I think your doing this wrong. If the entire purpose of the java app is to simply read the MAC to validate whether that particular machine should have access then you have some serious issues with understanding security and I think you really need to evaluate what, exactly, it is you are trying to stop.

solution2
 0  2012-05-21 20:49:45

You can use integrated authentication, provided that the database server is in the same active directory domain as your users. Simply specify Integrated Security=SSPI in your connection string and grant regular users rights corresponding to what you want them to be able to do in the database (for example, read only access), but no more.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to secure sqlite db using password in java application How to fix java.sql.SQLException: Server is running in --secure-auth mode, but 'user'@'host' has a password in the old format; (…)? How to connect to ms sql server on remote desktop( requires user login and password ) using java? Java login form with SQL How To Secure SQL Server Credentials In Java Web Service Applicaiton Login with SQL Server in Java How disable SQL Server jdbc driver logging from a java application? How secure is sending a password to the server unencrypted in GWT? How to secure the credentials in java application How would I approach secure communication from Android application to Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM