stackoom
  简体   繁体   中英

for securing a database that is meant to be accessed by several clients, is using a web service as a proxy an overkill?

 原文  2012-08-15 20:02:22       c#/ database/ web-services/ security

Question

we're going to have a database, and a client application that is going to be installed on several machines in a local network, and they must be able to access the DB.

Some of them must be able to edit and modify the DB, and some of them are going to just read them. each of these two groups are separated to several groups too, based on who must be able to access to which table/field.

To create this application, we were gave an advice to deploy a web service to role as a proxy between clients and the DB, in order to secure the DB.

But we're not transferring any sensitive data (such as credit card numbers or...) and we're only afraid of not an unauthorized person be able to modify the DB.

Isn't just using the integrated security option in the app.config sufficient?
Do we really need to hide and secure the connection string?

2 answers

solution1
 1  2012-08-15 20:11:59

Sounds way overboard to me. If the application is only going to be used internally, and Windows authentication is an option, certainly use it. Building a web service is only going to slow down development and add an unnecessary layer of complexity. The read/write users could be members of a Windows group that has read/write access to the database, and the read-only users could be members of a Windows group that only has read access to the database. Then, if the user is able to gain direct access to the database (without using your front-end) they would only be able to either read or read/write based on their Windows rights.

solution2
 1 ACCPTED  2012-08-15 20:21:15

It could be overkill, but it might not be. Deciding to go to a Service-Oriented Architecture could be based on several factors, among which:

  • How long are you expecting to maintain this application?
  • How many client deployments are you expecting?
  • Do you expect your database to change often?
  • What are your SLA requirements?
  • Do you expect the database to eventually be used for other applications?
  • etc...

The long and short of it is, if you want to be able to change things in the middle tier or database, and you don't want to have to upgrade every client when you do so, adding a Service layer might be the way to go. You also have the advantage of providing a rich API for other client developers (internal or external) while controlling business rules and security in one, centralized location.

SOA definitely adds to the complexity of the project, but in many cases, it can save you a lot of headaches in the future.

For further reading, look at http://en.wikipedia.org/wiki/Service-oriented_architecture , http://www.soapatterns.org/ , or Google.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing Database Access from Web Service via proxy? Securing a web service? REST web service - is entity framework an overkill? how to authenicate clients using certificates in an ASP.NET web service Identity Management - securing a REST API / web service Pushing to clients from a web service How to set up my WCF service to be able to be accessed by remote clients web service proxy setting Proxy web Service .net ensure web service only accessed by authorized applications
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM