我不是Java开发人员,但我的客户已经雇用了一个更新其网站上的一些JAR文件.在此之前,我们审核了现有代码并发现了许多安全漏洞.我们用于使文件更安全的解决方案之一是创建一个对数据库具有只读访问权限的新数据库用户,并且仅针对JAR文件需要操作的那些表.然后我发现他们将这些凭证与JAR文件一起存储在纯文本文件中,只是远离公众的教育猜测.最后,今天他们要求更宽松的数据库权限,但我不认为她理解她真的不应该为正确编写的JAR文件需要它们.
无论如何,我很确定这个开发人员如果把它咬在后面就不会知道安全漏洞.而且我对Java / JAR文件不够了解,不能正确地告诉她她应该做什么,只关于infosec告诉她她不该做什么.
那么在编写连接到远程MySQL数据库的分布式JAR文件时,典型的安全注意事项是什么?是否有加密连接详细信息(用户名和/或密码)的标准方法? IIRC,不是.jar文件只是美化ZIP档案,并且没有任何人可以解压缩文件并查看源代码中的连接细节?有没有办法加密jar文件内容?
更新:我收到了开发人员的以下说明.这听起来不错吗?
All the classes in the jar file are encrypoted. i have always encrypted all the class files before archiving them in a jar file. if you open any [redacted] jar,you will only see encrypted code. so there is no chance for a user to be able to view the source code by decompiling the classed. the classes do use jdbc to connect to the db,the search eangine needs to connect to the DB to run sqls. these sqls are in teh encrypted clasees in the jar file.
when i asked you about the encrypting the DB password,I meant what you say below. we will write an encryption/decription code in java and use it. Thecompiled class from this source code will again get encrypted as part of the reoutine class encryption procedure. We use a Java obfuscation tool called Retroguard to encrypt all the classes. we also embed a key in the html page to make sure that the application will work only if it has been downloaded form [redacted] website. if the user copies the jar to his local machine and tries to run it,it will fail.
156
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
