I am working on an application in java that will connect to an sql database, but will also have an internal encrypted database used for user accounts and passwords for security. My question is, is there a way to get(when the application would first be installed on the users machine) to grab with with authorization a list of user accounts, and their passwords and possibly privilege sets for these accounts to be used for security later. this will be similar to the way that plesk or cpanel uses user accounts on the system for logging into a web interface of the application. this will use angular front end and a java backend with database for storage and things alike. This will be deployed on many machines, mainly would be linux(RHEL) and Windows, with the possibility of mac. how would you go about this? any advice or help would be greatly appreciated.
You can use Java properties file with encrypted property for password. Please have a look at this answer for a point to start.
I was thinking originally of having Java authenticate with the OS, however this defeats the purpose. I will just have during the setup process the user setup passwords, store them encrypted in some SQL database for authentication. This makes more sense as JAVA is typically running in a Virtual machine completely separate of the OS. This can also make it more secure, as if the OS gets breached, unless you have the passwords for the encrypted files, your data is safe.
Related
I have have a BIG problem in the past few days. I'm developing an application for a customer and I have an external database in the web. In the program there are a login and some modules. At the time I store the data for access to the DB hardcoded in the Java code. Of course this is not a way to store those data.
Then I was searching so much to find out a way to connect to the database.
Store the password in a properties (.xml) file on the PC
Encrypt the password
etc.
But all of this is not really secure. Then I found something good. "Three-Tier Application Server" sounds really good and a possible way that I don't have to save the data on the PC. But I read everytime how a Three-Tier server works, but nowhere how to develop something like this in java. And is there a possibility that a hacker write an application that connects to this server too and get all of the data, because he decompile the application and get the access data?
Thanks for help
There are indeed many ways you can go about this.
The best way is to have the authentication checks spread throughout your code to where it would be very hard to remove them.
Have the authentication with SHA256/512 and or MD5 and have the user send a login request to the server.
Only authenticate the user if the server responds that it is registered.
Do not store any information other than the users info on the client end.
All the checks should be made and validated on the server side.
You also most definitely want to obfuscate your client sided code as well.
Is it possible to hide database details in jnlp-file? My app use jws and MySQL-database. In jnlp-file i have defined db connection details (username, pw, hostname).
Like this:
property name="dbuser" value="username"
Is there any alternative ways to define database details? Details must be easy to change!
Look at the JnlpDownloadServlet Guide: Substitutions.
JnlpDownloadServlet makes convenient substitutions in your JNLP files. When the client requests a JNLP file, the servlet reads the original file, substitutes values, and returns the results.
Is it possible to hide database details in jnlp-file?
No. Not to a power user.
The app probably shouldn't be talking directly to the database unless you trust all your users. Instead, you should hide your database behind a service, for example a REST service.
Never trust the client. The user can modify your program to do what they want and they can read anything you store on their system or anything sent over the network. Even if you use encryption, if it is decrypted on their computer then they can read it.
It is not a good idea to hide a secret on someone's computer and hope they don't see it. Even less so when your program is frequently reading this secret, making its location obvious.
You should assume that somewhere you have a hostile user who has modified your program (that runs on their computer) to do their bidding, and they know all the information you send to their computer.
You could create a database user for each of your users and still let them connect directly to your database, where their database user has very limited access. I think this would also be a bad idea. Databases often don't have the best security.
Instead, firewall off your database and only let your internal systems access it directly. Your users (through your java app) can instead access a web service like Chris suggested. This gives you a much smaller attack surface, which is easier to secure.
I have a Java application that sends user score to the mysql table. When the user is done, Java app accesses the .php file on server and the .php server performs a query on the database (inserting score).
I am concerned about the (in)security of this method. I mean, if someone finds out the direct url to the .php on a server, they can produce a lot of mess in the dabase. Can you advise how I could prevent the .php from executing the query other than accessed by the Java app?
edit: The problem is that Java application is NOT run on the server, it's run on the user computer using Java Web Launcher platform. So it's not an applet...
The problem is conceptual. You should never be sure that users can't find out the real address (security by obscurity). You could use SSL, still this is no means against a good guess.
Since the Java program is run on the client side, a .htaccess restricting access to a certain IP is also not an option.
My suggestion is to create a separate user in mysql, grant this user access only to necessary tables and perform the database queries on behalf of this user directly in Java. This way all data is encrypted (see http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html) and no URL/access point is exposed. Of course it means your MySQL server must be reachable from outside which poses a risk, too. You should have a good root password!
As you know anyone can access strings in an native application using a hex editor.
In a Java application it is possible to decompile the Bytecodes and access strings and other things (like application logic).
Now when I'm connecting to a database my password is stored in application strings.
How Can I protect these strings (passwords,...) against Hex editors & decompilation?
Thanks
Nothing you release to the public is private. There is no protection scheme that a sufficiently motivated attacker cannot break. If anybody had one, they'd be making millions selling it to Hollywood! (Plenty of people are making millions selling ones that don't work...)
You have three basic options:
1) Design the database with procedures and permissions such that having the direct login doesn't allow the user to do anything they couldn't have done through the application anyway.
2) Tie user accounts to database accounts and have users login with their own username.
3) Put an application server in front of the database. Your client connects to the application server and calls service methods on it. So only those functions you expose on the app server are exposed to the public. This is the standard way of doing things.
i am writing an application in java and i want to enable it to access a mysql remote server.
my problem is that if the application have the user name and password someone can take them and use my db with a different software.
is there a way of preventing it ?
UPDATE
i found this workaround for connecting to a remote MySQL database from an android device.
you put a service in the middle. like a php page that code the data in JSON format which the android app gets via http.
here is the example i found :
Connecting to MySQL database
Having the username and password is designed specifically to grant access to the database. That's the whole point.
You could go to some extra lengths like restricting database connectivity to specific hosts, so at least your paying customers get access to the database and no else can access it, but your customers might choose to use different software to access the database. There's no way around it except licensing terms.
What you could do is run an intermediary program on your own hardware that connects to the database and restrict access to the database to software that is under your direct administrative control. Your program would validate all requests from software under control of your customers and allow the queries that you want to allow and refuse (and log) the queries you do not have to allow. (You do not need to send raw SQL data back and forth -- you can do any amount of processing on the data and queries.)
You can setup JDBC Data Source on your application server. Here you can see example for Oracle Glassfish.
So, your credential won't be used in your code/resources.
If you are saying that you have an application trying to access a MySQL remotely (not in the same box), then i think you need not worry, as the connection that will be established by your application codes will not expose the username and password when it is trying to authenticate and authorize itself to the MySQL server.
You can limit the access to the MySQL-server so that only certain IP-addresses or IP-ranges have access to it.
As a side note, make sure that the user you use in your application only has the needed permissions to the database. For example, the user might not need to be able to create or delete tables. You can even specify permissions for the user on table and column level.