I have a Java desktop application (a runnable jar) that is being made available to clients within a CD. Then "autorun.inf" automatically launches the jar and the application runs from the CD (therefore running in a read-only environment).
This application needs to access some known data and use it somehow. Since the application is standalone, this data should be distributed with the application in some kind of files.
Now comes the challenging goals:
This data are just columns of numbers, similar to database table exports. And the most convenient way to access it would be exactly like if it was a database table where one can do SQL queries to this files.
This data should be confidential to the user clients. Although the data must be distributed with the application, it cannot be legible to users. So, the data must be encrypted or obfuscated somehow.
So I kindly ask for your help mainly to point me some ideas that will help me understand and discuss with you which is the best way to implement such features.
Thank you very much in advance,
Alves
Edit #1:
Using an embedded database engine is a great idea and would solve both problems at the same time. But it raises some questions for me:
Does the database engine needs to write files somewhere? I've done some tests with HSQLDB and I think it does. That would be an issue since the application is running from a CD.
If it really needs to have such files, can I release them also with the application, instead of being created on the fly?
Just to confirm, if I use an encrypted database, I have to put somewhere on the application the secret Key that will make me decrypt it, right?
One possibility would be the use of an encrypted SQLite database.
SQLite is a relational database management system, where the databases are files.
For encryption in SQLite look here: http://www.hwaci.com/sw/sqlite/see.html
Your goal is absolutely impossible and it's rather obvious why: Your application obviously needs to read the encrypted data (otherwise why bother including it), hence has to decrypt it, hence has to store the keys somewhere.
Well there you are: You sent the encrypted data AND the key to decrypt it to the client - what's to stop them from doing the same thing your application does?
Yes it may stop some people from getting your data, but it's nowhere safe against someone who has even a slight understanding of what's going on
You could use SQLite with the SQLite Encryption Extension.
The SQLite database file could be created at the first start of you application.
You can simply test if the SQLite database file already exists:
if (!new File(database_filename).exists()) {
createNewDatabase();
}
The path to your SQLite database is stored in the database_filename variable.
If the file doesn't exist already, you can save the file for example in the user's home dir.
I'm using the following code in one of my applications to create the database with an external SQL script file.
public final void createNewDatabase() {
InputStream inputStream = getClass().getResourceAsStream("database_create_script.sql");
String sqlCommand = new Scanner(inputStream).useDelimiter("\\A").next();
try {
Statement statement = connection.createStatement();
statement.executeUpdate(sqlCommand);
} catch (SQLException ex) {
ex.printStackTrace();
}
System.out.println("Database created");
}
H2 Database supports encryption, too. As much as I like SQLIte, for a Java application I'd choose H2.
Related
I successfully connected to a DB in eclipse through the Database Development perspective and am able to run queries in the SQL File Editor. However, I would like to write java code to automatically run a query and then extract the data to a flat file. What is the easiest way to do this? Since I am already connected to the database, can I bypass the java code that involves connecting to the database.
No, the Java JVM also needs to be able to connect to the database. There are many examples of JDBC connections on the internet, including this one.
Once you have got the data you needed, you should make use of FileWriter in order to write the information to file.
This is more just a general thought and speculation from my side, being a student of Computer science.
Lets set the scene:
Lets assume that I have created a wonderful application in Java that I plan on selling in the future. The java application has a complex structure and uses connections to a database using JDBC etc to connect to the DB, get the information from some table in the DB and then work with that data.
To be able to connect the Java program to the DB i have to give the program some information of the DB such as the link, username to the DB and its password.
My DB holds alot of information that I do not want others to see without authority.
But these informations are clearly visible in the java code i created. How sure can I be that no one can access this information after the app has been compiled into a JAR file or a .EXE file?
This might be a dumb question, but I'm just curious.
Thanks
Don't compile the user & password values into your Java application. Write your application with the ability to read those values from an external properties file. Then it's your customers' responsibility to restrict access to that file so only trusted users can read or alter it.
Security concerns aside, configuration such as DB connection strings, usernames and passwords is not part of the shipped application but an installation specific setup. All the application needs to do, is to expose a simple way for the end users to spell out these settings (e.g. property files, xml, etc...).
With this approach, it is the users responsibility to secure usernames and passwords.
Short answer, you can't. If it's in the jar or exe, it will be visible. Your best bet is to encrypt the compiled files.
There is really no possible way to prevent someone from decompiling your code back to something akin to its original state. You could make it more difficult, but if someone is determined, they can get it back to code form. As such the correct response is to not put any sensitive information into your java code. Put it somewhere else.
In this case, you might consider moving the information you want to client to access in your DB to a different DB, that doesn't contain sensitive information. Alternatively, if your database software allows it, create a new user on the DB, that only has access to the data the client will view, and use that login in your java program.
EDIT: mysql users
To create a new user in mysql run the following command:
CREATE USER 'username'#'hostname' IDENTIFIED BY 'password';
if you want the same user to be accessibble from any host replace hostname with %
This user is created with no permissions by default, so now onto adding permissions. Here is an example
GRANT [permission_level] ON database.table TO 'username'#'hostname';
Replace the table name with * to specify every table in the database.
for a full explanation of the syntax of these options look here: CREATE, GRANT
This should help you restrict who can access what in your mysql database.
I am trying to build a simple GUI in which you can write some Integers. These Integers are supposed to be written into a Database, which I am looking for.
So far so good. The data in the Database should then be used for another stand-alone application, which already exists.
I tried it with SQLite already but I received a lot of "Database locked" Errors. I searched Google. The key answer I often read about was to switch to a database which supports concurrent processes.
I went further on and had a look at H2 and HSQLDB. Both of them seem to be legit but much more complicated.
So I wonder:
I would like to have the GUI to be portable in a .jar file (or a folder only) combined with the Database, so when I switch computers I do not have to install the DB in a certain folder like the home-directory or something. With SQLite all you do is this:
Connection con = DriverManager.getConnection("jdbc:sqlite:test.db");
As you can see, no Path-infortmation is necessary. How can I do this with H2 or HSQLDB?
I am really looking forward to your suggestions. But only open source please.
Kindest regards and thank you very much!
Stefan
With H2 and HSQLDB you can do the same.
With H2, a database URL of the form jdbc:h2:test will create a file called test.h2.db in the current working directory of your application. If this is what you want, then that's fine. Please note I usually don't suggest to do that, because many people run into the problem that they sometimes start the application in a different directory (which will then create a new database). Because of that, I suggest to use jdbc:h2:~/test, which means the database file is stored relative to the current user home directory.
Handling the creation of an embedded db file should not be a big issue - but if you really dislike this stick with SQLite: it should handle concurrency well enough for basic usage - 'database locked' sounds more like an application level problem
Is it possible to use SQLite as a relational database from Google App Engine? (Java) I need read/write access to it from the app itself.
Also, I am using Quercus for PHP, and if what I am asking for is possible, I can handle storing the database myself.
No, it is not possible. This would require write access to the filesystem, which App Engine does not allow.
SQL database support (MySQL like) is planned, but no release data has been given. For now, use the datastore.
I know it's a super old question and nothing concerning read-only properties of App Engine has changed since then... But actually you can use sqlite on Google App Engine. There is a writable /tmp directory (https://cloud.google.com/appengine/docs/standard/java-gen2/using-temp-files). If your app on startup first copies the db.sqlite3 file to /tmp/db.sqlite3 and references this path as database path, it will work.
The following problems are connected with this approach:
This directory is "in-memory". So if you want to use really large sqlite file, you may face problems with RAM.
Each node of the app gets its own copy of the database. If you save something on one node, these changes will not be seen by other nodes. And the new data will be lost if the app scales to 0.
Short Version: I need to store some data between runs of a java program.The data will be of the form of a table.Is there anything that can let do something like a sql query in java??THE SOLUTION MUST BE ABLE TO RUN ON AN OFFLINE COMPUTER.
Long Version: The user will be entering some data daily and i want something like a sql table in java. The program will run on a computer that is NOT CONNECTED TO THE INTERNET and so i need a truly local way to store data(Lots of it).Also preferably the data should be stored in such a way that it is not easily accessible to the end user(as in ,he should not be able to double click the file and simply read its contents)
Major Constraint: On searching online i found many people were using localhost to solve similar problems but that facility is not available to me as i CANNOT INSTALL ANYTHING on the target computer.
If a simple data file is not good enough, how about using SQLite with a JDBC backend? It will allow you to have an SQL database stored in a regular file with no dependency on any kind of server. Alternatively, there are many other embedded DB engines that you could use, depending on your needs.
EDIT:
By the way, most (if not all) DB engines that I know of do not obfuscate the data before storing them in the filesystem. The data will be fragmented, but parts of it will be visible if you force an editor to open the file (e.g. using "Open with..." in Windows).
There is also nothing to stop your user from accessing the data using the command line utility of the selected DB engine. If you want to obfuscate the data you have to do it in your code. Keep in mind that this will not stop a determined person - if your application can read it offline, so can everyone else.
Use an embedded database (like Apache Derby, HSQLDB, H2) so that you don't have to run a database server on the machine. The data will be stored locally on the target machine and it won't be human readable.
You have several options:
Store it in an xml-file
Store it in an local installed database
You can install a database like mysql or use a in memory database like sqlite or hbase or apache derby, which is included in java 6