Actually by type 4 db connection from java i am connecting to oracle database like this:
In dbconnection.java i have written below:
Class.forName("oracle.jdbc.driver.OracleDriver");
con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:database host name","database user name", "database user password");
return con;
Is there any method how can i write these 3 fields(database host, database username, database user password) in encrypted form in java class dbconnection.java like below:
Class.forName("oracle.jdbc.driver.OracleDriver");
con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:wrtwtr#$%$_rfwrw","regfwerfgwf", "%%5frfr^&%$%4");
return con;
and during database connection, these encrypted fields will be decrypted and will be connected to oracle database in actual names
Then in servlet i am calling like:
dbconnection db= new dbconnection();
Any help please
解决方案
Rather than trying to hide your connection details, you should provide a secure way to allow externally controlled applications (or instances of applications) to access your database.
An API is basically a middle layer between your database and an application you do not have control over. For example, facebook, rather than allowing direct access to their database, allows developers to access their data through an API. This means that applications can be authenticated (thus meaning they can be held responsible), and you can control explicitly what applications can and cannot see and edit.
Basically, through an API, you can protect your database while simultaneously keeping track of who is doing what (though the protection aspect is usually the main draw).
I must say though that sometimes, if you trust the people using the application, it's just easier to not worry about it. For example, if you work at a small company of competent, well meaning people, then it would likely be safe to allow the application to connect directly to the database.
If you are distributing your program to the general public though, or a large set of people whom you do not completely and totally trust, then you should not allow direct access, no matter what kind of precautions are taken.
Assume that you do figure out how to encrypt your credentials. At some point, you must still make the connection. What happens now if a user grabs the decryption/connection code, has the connection made, then inserts his own code after it? Suddenly he has access to your database. With an API, worst case, he could steal the API key and have limited, traceable, easily revokable access.
And besides, if you're allowing access to an API, you only allow users to do what you want them to do. So worst case, if he does figure out how to use the API directly, all he can do is what the program allows him to do anyway.
4426
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
