I need to connect to a MySQL database from a java Desktop application. The way I was planning on doing this, was using HTTP to open a php page on my website, that PHP script will handle all the mysql stuff so my MySQL user/pass is not accessable to the client at all. so, my question is, would SSL be required? and also, how could I prevent people from taking the URL to the PHP script and using their web browser to mess things up on the database?
This should probably be on the security site, but anyway.
If you don't want everything you send to the database to be visible to the world, use SSL.
Force the client to authenticate to your server side script before making any changes to the database if you don't want anyone in the world making changes.
Make sure that SQL injection is prevented.
Why wouldn't you just use MySQL user authentication with SSL? Writing your own bridge sounds like it would only cause problems and expose more security holes than you'd otherwise have.
so, my question is, would SSL be required?
SSL helps provide a layer of security, through encryption, which keeps people from hijacking the connection and intercepting what you send (for more information, see: Firesheep). Therefore, while not required, per se, it is recommended. If you have control over the Java app, and depending on your purposes (namely, an in-house application), then you can use a self-signed certificate and package the cert with the app for verification purposes (see: this SO question for more info on self-signed vs CA SSL certs).
how could I prevent people from taking the URL to the PHP script and using their web browser to mess things up on the database?
As with other Information Security things, nothing is 100% guaranteed, but the most common way to do this would be via an API key, especially since what you're describing is an API.
If you're looking for a quick-and-dirty setup, then you can use HTTP Basic Authentication to send some credentials, and use SSL to secure it. For a more robust solution, you'll probably want to look into HTTP Digest Authentication and/or OAuth. What you use will also depend on your specific needs.
You can then code the API key into the Java app, or create a way of generating and requesting API keys (again, depends on your specific purposes and needs), and the client sends the API key with the request. If the key doesn't match what you have "on file", then you deny the request.
A quick note on using an API vs connecting to MySQL directly
A couple of people brought up connecting to MySQL directly. I think this is a valid option, but will depend largely on what you're doing and who you're distributing to (and, for that matter, whether you want to open that database to other clients).
If you have plans to have other clients (such as mobile devices) connecting to this database, or if you don't have control of the database for whatever reason (ie - your hosting setup won't allow you to make remote access available), then it might prove useful in the long run to build an API.
However, if you have no such plans, or do have full control of the database, and you control the source code of the Java application, then directly connecting to the MySQL database is a valid option. Just make sure you follow the principle of least access - the Java application gets a dedicated MySQL user that only has the permissions that are absolutely necessary - and the Java application user has a strong password (and since no humans are involved in this process after you code it, you can use a password generator to create something long and convoluted and completely random).
Related
So I have a Java Program that just runs in the windows console at the moment. When the program first starts, I want to have it go through a login prompt with a username & password. I’ve previously used a MySQL database to check if a username + password combo exists, and then allow that user to login. I know how to encrypt passwords and such when I compare them to the database info. However, when I did this, the MySQL login details were left in the code so that the program could connect to the database. This leaves a huge problem in that someone could decompile the program and find those login details, then use them to access the database.
So my question is, is there a way to access these logins using the program, WITHOUT exposing my database details to a snooping person. Is there a library out there that could accomplish this?
Yeah you can do it, But you need to re-architect your application.
You should separate you application into two different application.(In short: you have long way to go)
1- Client Application: Where your Java Application is interacting with the end user.
2- Server Application: Where your Application is interacting with your DataBase. This Application can talk to your Client through your network.
Note: keep in mind that, any application at client, can be decompiled. All traffic even any communication between client-server can be monitored.
There are many methods out there, to make the communication between the server and clients. The choice is yours, you can make your own one (Socket communication) or follow some standards like REST or SOAP.
If you want to use REST or SOAP, there are many ready framework and libraries available where Spring is one of them. Since you need to have Server Application(Ex: Rest Server), you need to run your server application in a container, where in this case, Tomcat is the most famous one in JAVA world.
But there is better way to Start ; you can make an Spring Boot Application for your Server app. Most of the libraries even your container is already embedded, and you only need to focus in your Application Logic. Once it's done, you just need to run a single jar file and your client can start talk to the server app, through network. The drawback is that you need to follow the spring boot standard.
You can also Secure your Rest API by Spring Security framework (Which is totally separate topic), but you can simplify it to, token exchange between your server-client for each REST call.
So in this scenario, let say someone decompile your client application, he would
see nothing but, some rest API links, which can not work without login and token.
Also keep in mid that you also need to Secure the communication between Server and Client Throw the Network by TLS.(Which is totally separate topic)
If you're giving out db access then deal with the side effects of that choice. I think mysql offers some kind of row level security option. Check the docs.
If you want some level of backend obfuscation then put it between your users and backend via REST or some other scheme.
I am wondering if there is a solution to my problem. As a summary, I need a non-intrusive Web response cache for users that authenticate via a client certificate and are authorised to see URLs based on that.
I have a JEE application and I would like to cache responses to Web requests. I am trying to do it as transparent as possible (ie. without messing with the code), so I found Squid.
My problem is that users might authenticate themselves via a client certificate (or the absence of it) getting authorisation based on this, and this is what makes things "difficult". Is there a way to configure Squid, or any other software, to cache the results after the communication has been established by Tomcat? Something like a cache that is triggered by my application right after the TLS handshake is over and Shiro has been called (because user permissions depend on their certificate). The fact that users have to be authorised by my app make me think that the only way is to create Java code for this, not using Squid or similar software transparently.
I am sure this is a problem that has happened before.
I am creating 3 applications that are written for different platforms (.NET (C#), Android (Java) and PHP). I'm using C# for the WPF application that is going to run on Windows PCs, PHP on the server side and Java for the mobile app. I am using a MySQL database where I'm storing all the information that 3 apps are going to be using.
I am using web requests to my Apache server (JSON and POST basically) when I need some specific stuff to do with PHP.
But, how safe is:
When I'm connecting to the MySQL database via C# and Java?
When I'm sending GET and POST web requests with C# and Java?
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database, or even get the post request parameters that the app is sending?
Because I know there are a lot of network-monitoring software and I wouldn't be surprised if this is possible.
If it is, then how to avoid it?
"How secure are Java and C#?" isn't quite the right question, because the answer depends on what you do rather than the features in the languages. They both have plenty of good options for implementing various types of security in various ways. What really matters in your case is how the machines communicate.
Can you somehow spy on the traffic that is going on between the device (PC / Android device) and the server and find out the user and the password of the database
Your clients (the PCs and Android devices) should not be connecting directly to your database. They should submit requests to your server, where you have much more control, and can authenticate clients and validate their data. The server then connects to the DB.
If the clients call the DB directly, not only are the credentials transmitted over the internet, but they must also be present locally on the client in some form. This means that someone could potentially crack your app and get access to them.
or even get the post request parameters that the app is sending?
Yes, these can be intercepted and read. Again, preventing this is a matter of how you implement the communication. Use the HTTPS protocol, which you can do in both C# and Java, and the content of your requests will be protected from being intercepted by third parties along the way.
When your traffic is noticed or intercepted it will be freely interpretatable to the reader. You can see an example of such traffic in the console window of your browser, or if you want to view the actual application traffic use a proxy (such as Fiddler2).
If you want to prevent your traffic from being read, you have to take measures to ensure authorization and access control. You can do this by encrypting the traffic with TLS/SSL. If you have web-endpoints you can often enable https trough the libraries configuration. You may need to pass it as a parameter to the code that builds your connection.
Furthermore, it is best practice not to divulge sensitive information in your application output. You will want to use strong passwords and refrain from storing or sending these in plaintext.
I would also advice you to break down the need for securing in smaller bits.
Example:
You are using a lot of different technologies. These all have best practices and guidelines related to security. Separate your applications from your networking/operational assets. Encrypting your communication is a measure in your application. Whereas your MySQL configuration works in a different way entirely, mostly trough configuration.
Why are you connecting directly to your DB from the Android/WPF apps?
If the MySQL DB is sitting on a secure server, perhaps wrap the database calls/services in RESTful APIs implemented in your PHP solution, then call the APIs from your client apps, this also saves you from writing SQL statements and DB specific tasks in multiple languages (Java/C#)
not knowing your situation makes it hard though...
Okay, I apologize in advance for this question, as it is quite broad.
Basically, I am developing a system involving:
A website where users can register an account. This process will create a new database on the server for that account.
A client side external application written in Java. This will access the data in the database in order to perform useful operations for the user.
The databases themselves which are created in the first point.
My question is about what security measures should be implemented in order to keep the databases secure and how to transfer data securely.
My concerns are:
How is a MySQL database actually secured? When I create the database at the point of account registration, do I need to set a password for that database? Does this encrypt the database? Is this enough to prevent someone from accessing the data?
Java is pretty easy to decompile. Assuming I am to store the log in data for an account database in a master database, how do I secure that database and connect to it from my application in a way which doesn't require me to hard code the details for connecting to that database in the application. I believe this must be an issue in languages which are compiled to native code too, as someone could just perform a memory dump to get hold of such variables at run time of the application (I think).
When sending and receiving data to the client from the server and vice versa, how do I prevent someone from network eavesdropping and getting hold of the data (whether this be log in credentials or other data from the database). I assume this is what SSL is for, but is that all I need to use?
A possible answer to these questions is to use a middle man service in between the Java client side application and the database, much the same way you would use PHP in between Javascript and a MySQL database (although the PHP is a necessity in this case). I assume this middle man service would contain the log in credentials for the master database etc. and would contain its own methods for preventing unauthorized access. If this is correct, how would I go about setting up such a service? Would it be possible to utilize a PHP script from a Java application to transfer data?
I hope my question makes sense and isn't too ambiguous.
Thanks in advance for your time.
How is a MySQL database actually secured? When I create the database at the point of account registration, do I need to set a password for that database? Does this encrypt the database? Is this enough to prevent someone from accessing the data?
Using an account name and password, together with different access rights for particular databases "granted" to different users.
The password is associated with the user account, not the database.
MySQL databases are not encrypted.
Yes ... though if untrusted people can gain admin control of the database itself, or the system that hosts the database, then all bets are off.
Java is pretty easy to decompile. Assuming I am to store the log in data for an account database in a master database, how do I secure that database and connect to it from my application in a way which doesn't require me to hard code the details for connecting to that database in the application.
A common approach is to put the connection details and/or account credentials into a Properties file that the application loads at startup time. However, I think your real issue is that you want to allow updates to the database by applications running on untrusted machines. A more sensible solution to that is to run a trusted service on a properly secured machine and have the untrusted machines talk to the trusted service and NOT directly to the database.
I believe this must be an issue in languages which are compiled to native code too, as someone could just perform a memory dump to get hold of such variables at run time of the application (I think).
That is correct.
When sending and receiving data to the client from the server and vice versa, how do I prevent someone from network eavesdropping and getting hold of the data (whether this be log in credentials or other data from the database). I assume this is what SSL is for, but is that all I need to use?
SSL is sufficient for securing data (or credentials) that are sent over the network.
The situation with man-in-the-middle attacks is murky, certainly when it comes to web browsers and whether trusted roots should really be trusted. But if I understood what I read correctly, there is a way to use SSL that should be immune to MITM. Basically you need to generate individual SSL certificates for all participants (clients, servers) and distribute them to all using an out-of-band distribution mechanism; i.e. NOT over the internet. Then you only accept SSL connections from parties with a known certificate. And make sure that you use TLS 1.1 or 1.2.
I see some possibilities -
Using jBoss SX framework
Using EJBs is another thing, which provides the requried layers of abstraction.
JCA components can be used on middle-man components
Finally SQL injections can also be accessed through some of the available tools like the sqlMAP.
You are correct in assuming that your client application should never store database authentication information. It is far too easy to decompile a Java application to retrieve those connection strings.
Instead, as I think you understand, you should expose a web service providing the information your app requires. There are a few ways you can go about this. You could, for example, write a REST interface so that your clients make HTTP calls to your server and receive JSON or XML responses back. You could also write a Java RMI server that allows your client to make remote method calls on the server to find the information they need. Without a more specific question or constraints, I can't really advise on which is more appropriate.
I'm using GWT for a web-app and I need to access to a mySql-database. There will be only one client (The app is used on a iPad localy). Is there any way to access the database without RPC? I'm looking for a possibility to direkty query a database.
Thanks!
There are 2.5 reasons you cannot use gwt to directly access MySQL.
Reason #1.
GWT is compiled into Javascript. You need to open a socket to the database server. GWT does not allow you to open a socket. In fact, no unaugmented browser (before advent of html5) is able to open a socket. But you can open a socket using Flash actionscript, or HTML 5 javascript.
Reason #2.
OK, let's say you used HTML5 sockets. And you spent 6 months writing in Javascript a JDBC connectivity. But, your websocket would still need to address a servlet on the server which would help your websocket establish a persistent connection - and mysql is unable to perform such an establishment.
Reason #3.
SLD - SOP restriction:
(Second Level Domain Same Origin Policy)
Standard browser restricts its pages to only be able to request for, and to include, content from within the same second-level domain (SLD) as the server that provided that page to the browser. Top level domains (and top-level and a half) are such as .com, .org, .net, .me.us or .co.uk. So, domain names such as google.com, fbi.gov, mit.edu are second level domains. While, mail.google.com would be a third-level domain. Therefore, GWT would work only within the confines of an SLD. Your web server must also be accessible at the same SLD as your mysql server.
SLD-SOP and tunneling requirement is to close a security hole that could have allowed any tom-rick-or-mary to log into your system thro your browser. Tunneling is always required for a browser to connect to a server other than a http server. Tunneling is when a browser exploits the web server as a yenta (yiddish for busy-body/go-between/match-maker) to get to another server.
You have no choice but to use GWT-RPC. Perhaps you don't wish to use RPC, then you could use RequestBuilder, or Script-Include or RequestFactory. But they are all still diverse means of tunneling. http://h2g2java.blessedgeek.com/2011/06/gwt-requestbuilder-vs-rpc-vs-script.html.
There is one reason why you can connect to your database server from your gwt client:
Your database server must run httpd connection engine. That is, your gwt app would access the db server thro http. I am not familiar with which relational database has a http access available. Most probably, you would have to query thro xml or json.
However, a company I had worked for created our own http service to allow "direct" client access. "direct" is a misnomer because we used tomcat. It is stil tunneling. Any database company that offers "direct" http access is still tunneling. Tunneling - no escape from it.
You could augment the browser with Flash and write a Flash application rather than using GWT. If direct access is so essential to you, you would have to abandon GWT and develop in Flash and run a httpd engine for your database server.
GWT is ultimately Javascript. As noted at Are there JavaScript bindings for MySQL?
, there is currently no way of accessing MySQL from Javascript.
Therefore you can't access it from client-side GWT code.
AFAIK it's not possible, and even if it were, it would be a really bad idea. Are you sure you actually need a database? Maybe something like gwt-client-storage would be more appropriate.
EDIT
Your database would we publicly accessible and open for any sort of attacks.
EDIT 2
This may even be a better solution, as it offers support for accessing the HTML5 Database API and is targeted to iPhone/iPad.
gwt-mobile-webkit
If you were even successful in doing so, in short, doing a CTRL + U on the browser would make your database name, username, password, tables names etc visible... And done, any developer curious to know your code has a way to hack anything and everything in your server.
I think it's not possible, I mean, if you want all your data stored in DBs. I mean, GWT compiles into javascript and javascript executes on the client (typically a web browser).
If you want to access data stored somewhere (by some mean) in a server, then you have no option but RPC. If I were you, I would stop thinking in client-server paradigm (GWT was developed with that in mind). Perhaps some embedded database like H2 and then hold connections through JDBC.