I have a website that I'm wanting to create a Java application for, and while I don't have any experience creating android applications I have a decent amount of Java experience and feel like I should be able to complete this task over some time. I'll be making use of the Java.IO package for client-side networking (On the application) and hosting a server using Java. This server application will have access to all of the same databases as the website through JDBC. (I'll be hosting it all on the same server.)
My question is how to go about handling connections on the android platform, currently I verify a dynamically generated salt with the database salt on every page refresh to prevent session theft. I also make sure that the encrypted password and the user-name stored in the session match.
I could theoretically just create a standard server application, using NIO and avoding the whole thread-per-client scenario. The problem is that my website has quite a bit of traffic, and I know the application will too. So I'm running into issues on how to handle it.
If I use a keep-alive TCP connection and store the users basic information in a class data structure (Psuedo example):
class User {
int id;
}
Considering all information will be polled from a database and everything is relative to the id of an account, there's no reason to store any excess data into the User class, correct? Just a quick simple lookup tied to the connection to only get data relavent to yourself.
Should I avoid the use of TCP networking for this? What do you guys think.
On the server side, create REST web services that invoke CRUD operations on the server database, and return the responses to the client as a JSONObject or JSONArray. Android has internal support for JSON parsing, and you can use the Volley library to call the web services. Volley is a pretty abstract, high-level HTTP library that makes it very easy to make REST web service calls. TCP connections are quite low-level and are not generally used in client-server Android apps. See the Transmitting Network Data tutorial for more on this.
Related
So I have a Java Program that just runs in the windows console at the moment. When the program first starts, I want to have it go through a login prompt with a username & password. I’ve previously used a MySQL database to check if a username + password combo exists, and then allow that user to login. I know how to encrypt passwords and such when I compare them to the database info. However, when I did this, the MySQL login details were left in the code so that the program could connect to the database. This leaves a huge problem in that someone could decompile the program and find those login details, then use them to access the database.
So my question is, is there a way to access these logins using the program, WITHOUT exposing my database details to a snooping person. Is there a library out there that could accomplish this?
Yeah you can do it, But you need to re-architect your application.
You should separate you application into two different application.(In short: you have long way to go)
1- Client Application: Where your Java Application is interacting with the end user.
2- Server Application: Where your Application is interacting with your DataBase. This Application can talk to your Client through your network.
Note: keep in mind that, any application at client, can be decompiled. All traffic even any communication between client-server can be monitored.
There are many methods out there, to make the communication between the server and clients. The choice is yours, you can make your own one (Socket communication) or follow some standards like REST or SOAP.
If you want to use REST or SOAP, there are many ready framework and libraries available where Spring is one of them. Since you need to have Server Application(Ex: Rest Server), you need to run your server application in a container, where in this case, Tomcat is the most famous one in JAVA world.
But there is better way to Start ; you can make an Spring Boot Application for your Server app. Most of the libraries even your container is already embedded, and you only need to focus in your Application Logic. Once it's done, you just need to run a single jar file and your client can start talk to the server app, through network. The drawback is that you need to follow the spring boot standard.
You can also Secure your Rest API by Spring Security framework (Which is totally separate topic), but you can simplify it to, token exchange between your server-client for each REST call.
So in this scenario, let say someone decompile your client application, he would
see nothing but, some rest API links, which can not work without login and token.
Also keep in mid that you also need to Secure the communication between Server and Client Throw the Network by TLS.(Which is totally separate topic)
If you're giving out db access then deal with the side effects of that choice. I think mysql offers some kind of row level security option. Check the docs.
If you want some level of backend obfuscation then put it between your users and backend via REST or some other scheme.
I am creating 3 applications that are written for different platforms (.NET (C#), Android (Java) and PHP). I'm using C# for the WPF application that is going to run on Windows PCs, PHP on the server side and Java for the mobile app. I am using a MySQL database where I'm storing all the information that 3 apps are going to be using.
I am using web requests to my Apache server (JSON and POST basically) when I need some specific stuff to do with PHP.
But, how safe is:
When I'm connecting to the MySQL database via C# and Java?
When I'm sending GET and POST web requests with C# and Java?
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database, or even get the post request parameters that the app is sending?
Because I know there are a lot of network-monitoring software and I wouldn't be surprised if this is possible.
If it is, then how to avoid it?
"How secure are Java and C#?" isn't quite the right question, because the answer depends on what you do rather than the features in the languages. They both have plenty of good options for implementing various types of security in various ways. What really matters in your case is how the machines communicate.
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database
Your clients (the PCs and Android devices) should not be connecting directly to your database. They should submit requests to your server, where you have much more control, and can authenticate clients and validate their data. The server then connects to the DB.
If the clients call the DB directly, not only are the credentials transmitted over the internet, but they must also be present locally on the client in some form. This means that someone could potentially crack your app and get access to them.
or even get the post request parameters that the app is sending?
Yes, these can be intercepted and read. Again, preventing this is a matter of how you implement the communication. Use the HTTPS protocol, which you can do in both C# and Java, and the content of your requests will be protected from being intercepted by third parties along the way.
When your traffic is noticed or intercepted it will be freely interpretatable to the reader. You can see an example of such traffic in the console window of your browser, or if you want to view the actual application traffic use a proxy (such as Fiddler2).
If you want to prevent your traffic from being read, you have to take measures to ensure authorization and access control. You can do this by encrypting the traffic with TLS/SSL. If you have web-endpoints you can often enable https trough the libraries configuration. You may need to pass it as a parameter to the code that builds your connection.
Furthermore, it is best practice not to divulge sensitive information in your application output. You will want to use strong passwords and refrain from storing or sending these in plaintext.
I would also advice you to break down the need for securing in smaller bits.
Example:
You are using a lot of different technologies. These all have best practices and guidelines related to security. Separate your applications from your networking/operational assets. Encrypting your communication is a measure in your application. Whereas your MySQL configuration works in a different way entirely, mostly trough configuration.
Why are you connecting directly to your DB from the Android/WPF apps?
If the MySQL DB is sitting on a secure server, perhaps wrap the database calls/services in RESTful APIs implemented in your PHP solution, then call the APIs from your client apps, this also saves you from writing SQL statements and DB specific tasks in multiple languages (Java/C#)
not knowing your situation makes it hard though...
Currently i have a website offering some product. The webserver sits on the same system as the database and directly accesses it to retrieve the required information for the HTML frontend. Now i think it is good to separate the database from the webserver via an API server. The reason why i want to use an API server is that it might be possible that future applications, other than the website, will need access to the information on the system.
The system which i want should consist of the following components:
A database which will store all the required information.
An API server which will be implemented in Java and should use oauth2 for authorizing user requests. The API server will have the only direct connection to the database.
A webserver.
So basically what i have in mind is that i want to build my website on top of that API server. The user will register/login/... over the website and the website implementation will internally query the API server as a webservice on behalf of the user. The API server would then return the data from the database. That way the HTML frontend is just an application using the API server and will never itself be in direct contact with the database.
I think that this is an often encountered problem for which a good solution exists. I am unsure if this solution is the way to go though. Could you help me out and/or point me in the right direction from here?
Thank you.
As far as I know, it is not advisable to have a separate API server for a couple of reasons: decreasing performance and increasing compexity of a system. So basically you should avoid this type of solution for as long as possible.
You should definitely read M. Fowler: "Enterprise Architecture Patterns" for inspiration.
Returning to your question: have you considered making this API layer as a module (library)?
If I haven't convinced you, try reading Java RMI documentation (http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html)
I am learning to program Java. My objective is to create client server application based on Java and MySQL.
That would have following.
Server Application where all admin controls would be available to configure.
server application will be the only to have access rights to MySQL.
Server will have all functions and objects that clients will require and call and get that functionality. (Reason for that is "I don't want to share MySQL credentials to client apps or rather i don't want MySQL credentials to be transmitted on the network to clients"). As it would increase maintenance tough and it could be a security loop hole.
An analogy of functionality could be: client calls to server telling to add an Order such addOrder(order_id, payment,..,...,..) and so on.
What are the method in practice for such kind of application these days? A example code/or material to get in right direction would suffice
These days the universal way to expose a service remotely is via a web service. This solution was preferred by the industry over time due to its simplicity and ease of integration to the point that binary based protocols like CORBA are now seldom used.
Take the example of Android applications, they are native application mostly using REST web services.
A REST web service can be easilly integrated in the same way with a desktop application, a mobile application or a web application, even if the clients are written in different native platforms and languages.
As sample code, have a look at tutorials on the Spring stack. For the server see this tutorial for building an hello word REST web service. For the client, consider the REST template.
For security, see this Spring security hello world example. Using the Spring stack in Java will likelly give you the largest number of tutorials and online support.
This sounds like a good place to use RMI, which Java has built in support for. RMI will allow your client to call server-side methods on a local object that corresponds to the server, where all messages/commands get transparently sent to the actual server, where you have your DB access stuff and logic.
I would like to create a touch screen application.It will be a windows application, so using that how can i get data from a web server?
There are several methods.
Your server can create scripts/webpages to return data in XML or JSON format upon request, and your windows application will have to make HTTP requests to your scripts/web server, retrieve and parse to get the data.
Make sure to protect your data which are requested from the web to prevent other unintended use.
You can also directly connect to the database (depending whether your database supports remote connection or not...)
Using a webserver is usually totally independent from the clients operating system. It may be tricky if the webserver provides service and entity beans and you rich client is written in C/C++ language.
But there are several protocols where you do not have to care. If your application is a thin client (browser interface), I suggest having a look at REST. For rich clients you can use SOAP to talk with your server.
Of course, the server has to provide the data for the chosen protocol...