Currently i have a website offering some product. The webserver sits on the same system as the database and directly accesses it to retrieve the required information for the HTML frontend. Now i think it is good to separate the database from the webserver via an API server. The reason why i want to use an API server is that it might be possible that future applications, other than the website, will need access to the information on the system.
The system which i want should consist of the following components:
A database which will store all the required information.
An API server which will be implemented in Java and should use oauth2 for authorizing user requests. The API server will have the only direct connection to the database.
A webserver.
So basically what i have in mind is that i want to build my website on top of that API server. The user will register/login/... over the website and the website implementation will internally query the API server as a webservice on behalf of the user. The API server would then return the data from the database. That way the HTML frontend is just an application using the API server and will never itself be in direct contact with the database.
I think that this is an often encountered problem for which a good solution exists. I am unsure if this solution is the way to go though. Could you help me out and/or point me in the right direction from here?
Thank you.
As far as I know, it is not advisable to have a separate API server for a couple of reasons: decreasing performance and increasing compexity of a system. So basically you should avoid this type of solution for as long as possible.
You should definitely read M. Fowler: "Enterprise Architecture Patterns" for inspiration.
Returning to your question: have you considered making this API layer as a module (library)?
If I haven't convinced you, try reading Java RMI documentation (http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html)
Related
I am creating 3 applications that are written for different platforms (.NET (C#), Android (Java) and PHP). I'm using C# for the WPF application that is going to run on Windows PCs, PHP on the server side and Java for the mobile app. I am using a MySQL database where I'm storing all the information that 3 apps are going to be using.
I am using web requests to my Apache server (JSON and POST basically) when I need some specific stuff to do with PHP.
But, how safe is:
When I'm connecting to the MySQL database via C# and Java?
When I'm sending GET and POST web requests with C# and Java?
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database, or even get the post request parameters that the app is sending?
Because I know there are a lot of network-monitoring software and I wouldn't be surprised if this is possible.
If it is, then how to avoid it?
"How secure are Java and C#?" isn't quite the right question, because the answer depends on what you do rather than the features in the languages. They both have plenty of good options for implementing various types of security in various ways. What really matters in your case is how the machines communicate.
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database
Your clients (the PCs and Android devices) should not be connecting directly to your database. They should submit requests to your server, where you have much more control, and can authenticate clients and validate their data. The server then connects to the DB.
If the clients call the DB directly, not only are the credentials transmitted over the internet, but they must also be present locally on the client in some form. This means that someone could potentially crack your app and get access to them.
or even get the post request parameters that the app is sending?
Yes, these can be intercepted and read. Again, preventing this is a matter of how you implement the communication. Use the HTTPS protocol, which you can do in both C# and Java, and the content of your requests will be protected from being intercepted by third parties along the way.
When your traffic is noticed or intercepted it will be freely interpretatable to the reader. You can see an example of such traffic in the console window of your browser, or if you want to view the actual application traffic use a proxy (such as Fiddler2).
If you want to prevent your traffic from being read, you have to take measures to ensure authorization and access control. You can do this by encrypting the traffic with TLS/SSL. If you have web-endpoints you can often enable https trough the libraries configuration. You may need to pass it as a parameter to the code that builds your connection.
Furthermore, it is best practice not to divulge sensitive information in your application output. You will want to use strong passwords and refrain from storing or sending these in plaintext.
I would also advice you to break down the need for securing in smaller bits.
Example:
You are using a lot of different technologies. These all have best practices and guidelines related to security. Separate your applications from your networking/operational assets. Encrypting your communication is a measure in your application. Whereas your MySQL configuration works in a different way entirely, mostly trough configuration.
Why are you connecting directly to your DB from the Android/WPF apps?
If the MySQL DB is sitting on a secure server, perhaps wrap the database calls/services in RESTful APIs implemented in your PHP solution, then call the APIs from your client apps, this also saves you from writing SQL statements and DB specific tasks in multiple languages (Java/C#)
not knowing your situation makes it hard though...
I have a website that I'm wanting to create a Java application for, and while I don't have any experience creating android applications I have a decent amount of Java experience and feel like I should be able to complete this task over some time. I'll be making use of the Java.IO package for client-side networking (On the application) and hosting a server using Java. This server application will have access to all of the same databases as the website through JDBC. (I'll be hosting it all on the same server.)
My question is how to go about handling connections on the android platform, currently I verify a dynamically generated salt with the database salt on every page refresh to prevent session theft. I also make sure that the encrypted password and the user-name stored in the session match.
I could theoretically just create a standard server application, using NIO and avoding the whole thread-per-client scenario. The problem is that my website has quite a bit of traffic, and I know the application will too. So I'm running into issues on how to handle it.
If I use a keep-alive TCP connection and store the users basic information in a class data structure (Psuedo example):
class User {
int id;
}
Considering all information will be polled from a database and everything is relative to the id of an account, there's no reason to store any excess data into the User class, correct? Just a quick simple lookup tied to the connection to only get data relavent to yourself.
Should I avoid the use of TCP networking for this? What do you guys think.
On the server side, create REST web services that invoke CRUD operations on the server database, and return the responses to the client as a JSONObject or JSONArray. Android has internal support for JSON parsing, and you can use the Volley library to call the web services. Volley is a pretty abstract, high-level HTTP library that makes it very easy to make REST web service calls. TCP connections are quite low-level and are not generally used in client-server Android apps. See the Transmitting Network Data tutorial for more on this.
I have my website(in php) running in Yahoo small business and Application(in java) in Rackspace.com.both server has got mysql database.
I want to query my application database(in rackspace) from my website(in Yahoo) and get the result set.
How to do it?
Please suggest me reference document to do it.
Is it a good idea to directly query a remote database ? means is there any performance issue will rise ?
It's always a bad idea to remotely access data that do not "belong" to your app. In this case, the PHP app should access a set of functions that are exposed on the Java side. This is to make sure that when you upgrade the Java side, you may change the schema of the database without affecting anyone interacting with it.
I recommend you look into Web Services -- there are many methods (eg look for RPC, REST, SOAP), and some might be a better fit for your needs than others.
If you open the database port, it should be easy but unsecure.
If you can access the database port in a secure manner (for example vpn tunnel), it would be easy and secure :)
My suggestion would be to implement the querys as SOAP Services in the Application and access them via PHP. Google should provide enough Results about SOAP in both languages.
AFAIK
if you would like to use the java function from php you should implement the web services in java in any of the web service types
You can access web services from php using the cURL calls
Okay, I apologize in advance for this question, as it is quite broad.
Basically, I am developing a system involving:
A website where users can register an account. This process will create a new database on the server for that account.
A client side external application written in Java. This will access the data in the database in order to perform useful operations for the user.
The databases themselves which are created in the first point.
My question is about what security measures should be implemented in order to keep the databases secure and how to transfer data securely.
My concerns are:
How is a MySQL database actually secured? When I create the database at the point of account registration, do I need to set a password for that database? Does this encrypt the database? Is this enough to prevent someone from accessing the data?
Java is pretty easy to decompile. Assuming I am to store the log in data for an account database in a master database, how do I secure that database and connect to it from my application in a way which doesn't require me to hard code the details for connecting to that database in the application. I believe this must be an issue in languages which are compiled to native code too, as someone could just perform a memory dump to get hold of such variables at run time of the application (I think).
When sending and receiving data to the client from the server and vice versa, how do I prevent someone from network eavesdropping and getting hold of the data (whether this be log in credentials or other data from the database). I assume this is what SSL is for, but is that all I need to use?
A possible answer to these questions is to use a middle man service in between the Java client side application and the database, much the same way you would use PHP in between Javascript and a MySQL database (although the PHP is a necessity in this case). I assume this middle man service would contain the log in credentials for the master database etc. and would contain its own methods for preventing unauthorized access. If this is correct, how would I go about setting up such a service? Would it be possible to utilize a PHP script from a Java application to transfer data?
I hope my question makes sense and isn't too ambiguous.
Thanks in advance for your time.
How is a MySQL database actually secured? When I create the database at the point of account registration, do I need to set a password for that database? Does this encrypt the database? Is this enough to prevent someone from accessing the data?
Using an account name and password, together with different access rights for particular databases "granted" to different users.
The password is associated with the user account, not the database.
MySQL databases are not encrypted.
Yes ... though if untrusted people can gain admin control of the database itself, or the system that hosts the database, then all bets are off.
Java is pretty easy to decompile. Assuming I am to store the log in data for an account database in a master database, how do I secure that database and connect to it from my application in a way which doesn't require me to hard code the details for connecting to that database in the application.
A common approach is to put the connection details and/or account credentials into a Properties file that the application loads at startup time. However, I think your real issue is that you want to allow updates to the database by applications running on untrusted machines. A more sensible solution to that is to run a trusted service on a properly secured machine and have the untrusted machines talk to the trusted service and NOT directly to the database.
I believe this must be an issue in languages which are compiled to native code too, as someone could just perform a memory dump to get hold of such variables at run time of the application (I think).
That is correct.
When sending and receiving data to the client from the server and vice versa, how do I prevent someone from network eavesdropping and getting hold of the data (whether this be log in credentials or other data from the database). I assume this is what SSL is for, but is that all I need to use?
SSL is sufficient for securing data (or credentials) that are sent over the network.
The situation with man-in-the-middle attacks is murky, certainly when it comes to web browsers and whether trusted roots should really be trusted. But if I understood what I read correctly, there is a way to use SSL that should be immune to MITM. Basically you need to generate individual SSL certificates for all participants (clients, servers) and distribute them to all using an out-of-band distribution mechanism; i.e. NOT over the internet. Then you only accept SSL connections from parties with a known certificate. And make sure that you use TLS 1.1 or 1.2.
I see some possibilities -
Using jBoss SX framework
Using EJBs is another thing, which provides the requried layers of abstraction.
JCA components can be used on middle-man components
Finally SQL injections can also be accessed through some of the available tools like the sqlMAP.
You are correct in assuming that your client application should never store database authentication information. It is far too easy to decompile a Java application to retrieve those connection strings.
Instead, as I think you understand, you should expose a web service providing the information your app requires. There are a few ways you can go about this. You could, for example, write a REST interface so that your clients make HTTP calls to your server and receive JSON or XML responses back. You could also write a Java RMI server that allows your client to make remote method calls on the server to find the information they need. Without a more specific question or constraints, I can't really advise on which is more appropriate.
I'm looking for some advice on the simplest way to create some product registration communication. I have a Java desktop application that needs to be re-newed every year. When a user downloads and install this app (through JNLP) they get a limited demo-version. There is code in place on the client to "register" the product and unlock all of the features.
My next step is to build the server-side components. There will be a database with customer ID numbers and other information about the customer. When the user clicks register, some contact information will be sent to the server as well as some product registration ID. The server will check this against the database and then either give the client the o.k. to unlock the features or the user will be informed that the registration id was not valid. This seems like a very standard thing. So what is the standard way to do it?
I have my own VPS and I'm running Tomcat, so I'm really free to implement this any way I choose. I was planning on building some web service, but I have never used REST before.
Use REST; REST is nothing more than using plain HTTP 'better'. Since you are already using HTTP, somehow you are already doing REST like calls and moving these calls to full fledged REST will be easy.
Implementing REST calls is easy. You have two approaches:
Low end: using URLConnection objects on the client, servlets on the server and following some REST conventions on using HTTP methods and 'clean' URLs (see here). Advantage is that you need no 3rd party library and minimize the footprint. Maintenance and evolutions are harder though.
High-end: a framework and specifications like JAX-RS. Using Restlet you can be up in running with a REST server in a couple of hours without having to deploy a servlet container.
Don't use SOAP. The only reason you would want to use SOAP is that you want to contractualise using a WSDL what you are exposing (you can do the same with REST btw, see the Amazon documentation for instance). Trust me, SOAP is way too heavy and confusing for what you are trying to do.