I am working on an application where users go on and offline. I want the data entered by users to be synced with central db.
The application is in Swing and using web services to update data in central DB.
I am thinking SQLite as a solution but I am concerned about security. The concern in each client system will have more than one user and every user will have his specific data.
Does SQLite support this?
Are there any other alternatives for SQLite in this scenario?
I have Oracle 10g as my Central DB. The role of SQLite is a local DB that stores data till user goes online
EDIT:: I am here concerned about the security of SQLite file. Through my initial analysis I found there are no features like authentication while accessing sqlite file.
Hope I am clear now.
SQLite does not support per-user authentication (you can use a password, but it's the same for the whole database file). Per-user authentication wouldn't be efficient anyway, because a user who has read-access to the database file could just read the file directly. You could encrypt the data, but you would have to store the decryption key and algorithm in the executable, where the user can access it.
When you want to protect the local data of each user, I would thus recommend to delegate this responsibility to the operating system. Just store an individual database file for each user in the private user directory of the current user (%appdata% on windows, ~/ on unix). As long as users do not have admin/root rights, the operating system should prevent them from accessing data in each others user directories.
This, of course, only works when each user of your application also has an individual account on the operating system. When that's not the case, you could still use individual databases for each user stored in a public location, but encrypt each database file with a key which is derived from the password of each user.
Related
I am working on an application in java that will connect to an sql database, but will also have an internal encrypted database used for user accounts and passwords for security. My question is, is there a way to get(when the application would first be installed on the users machine) to grab with with authorization a list of user accounts, and their passwords and possibly privilege sets for these accounts to be used for security later. this will be similar to the way that plesk or cpanel uses user accounts on the system for logging into a web interface of the application. this will use angular front end and a java backend with database for storage and things alike. This will be deployed on many machines, mainly would be linux(RHEL) and Windows, with the possibility of mac. how would you go about this? any advice or help would be greatly appreciated.
You can use Java properties file with encrypted property for password. Please have a look at this answer for a point to start.
I was thinking originally of having Java authenticate with the OS, however this defeats the purpose. I will just have during the setup process the user setup passwords, store them encrypted in some SQL database for authentication. This makes more sense as JAVA is typically running in a Virtual machine completely separate of the OS. This can also make it more secure, as if the OS gets breached, unless you have the passwords for the encrypted files, your data is safe.
So I am building a GUI for connecting to MySQL databases, and I have a window where users can enter in: Host, User, Password, Port and a Connection Name. I would like to save connection information for multiple MySQL database connections.
I want Connection Name to be a unique name and when someone opens the main screen to the application there is a list of previously saved connections. When the user clicks on one of the Connection Names it will connect to the database. And they can then run queries.
What I would like to know is, what would be the best way to save these connections?
In my opinion, Saving in a flat file just doesn't sound like a safe way to do this.
You may encrypt the data with user's password. Don't forget to re-encrypt on password change. This is not the case here but if you have large data to encrypt/decrypt, you can have a statuc key for data but ecrypt key with user password.
There are a lot of solutions to securely store passwords for the desktop but I'm not aware if any of them have java bindings.
If your users have login/password you can use their password to encrypt the connections data.
If they don't (they should!) then your best option depends on the OS: Keychain API in OSX or DPAPI in Windows, I don't know about Linux but it probably has an equivalent API.
And you are correct: it's a horrible idea to put the connection info in a plaintext file
I made a java program in which users would be automatically inserted/selected lines into/from one mysql database, but could not modify any existing lines, tables, db, or privilages. I got myself a website and hosted it in 1and1.com, but sadly I found out that its a pain(impossible) to have multiple users for one database and to remotly connect to a database.
I was wondering what are my options here?
I suppose the first one would be to get another host that allows me to do this.
The only other option I can think of is that somehow I manage to send from java the information to my website, and then the website to connect to the database. (not an expert in php, html, or what ever i ahve to do (be by embbedding a browser on my GUI or by doing it under the hood).
This is my first attempt to create a program that connects to an online database, so please be nice.
Note: program worked in localhost.
1&1 support useless.
Almost all (web)applications that use a database, connect to the database with one database user for the whole application. Having a different database user for each user of the application is an uncommon design.
So, you should configure one database user, which the application uses to read from or write to the database; this database user is independent of the users of your application and is shared by all users of your application. There should not be a one-to-one mapping from application users to database users.
There are different reasons for this. One of them is scalability. Most databases cannot handle thousands of connections at the same time. If you have a web app that allows thousands of concurrent users, you don't want to have a database connection with a unique username for each of those users. Instead you want to use a connection pool with a limited number of database connections; the connections in the pool are reused whenever one of the web app users needs to perform an action that accesses the database.
i am writing an application in java and i want to enable it to access a mysql remote server.
my problem is that if the application have the user name and password someone can take them and use my db with a different software.
is there a way of preventing it ?
UPDATE
i found this workaround for connecting to a remote MySQL database from an android device.
you put a service in the middle. like a php page that code the data in JSON format which the android app gets via http.
here is the example i found :
Connecting to MySQL database
Having the username and password is designed specifically to grant access to the database. That's the whole point.
You could go to some extra lengths like restricting database connectivity to specific hosts, so at least your paying customers get access to the database and no else can access it, but your customers might choose to use different software to access the database. There's no way around it except licensing terms.
What you could do is run an intermediary program on your own hardware that connects to the database and restrict access to the database to software that is under your direct administrative control. Your program would validate all requests from software under control of your customers and allow the queries that you want to allow and refuse (and log) the queries you do not have to allow. (You do not need to send raw SQL data back and forth -- you can do any amount of processing on the data and queries.)
You can setup JDBC Data Source on your application server. Here you can see example for Oracle Glassfish.
So, your credential won't be used in your code/resources.
If you are saying that you have an application trying to access a MySQL remotely (not in the same box), then i think you need not worry, as the connection that will be established by your application codes will not expose the username and password when it is trying to authenticate and authorize itself to the MySQL server.
You can limit the access to the MySQL-server so that only certain IP-addresses or IP-ranges have access to it.
As a side note, make sure that the user you use in your application only has the needed permissions to the database. For example, the user might not need to be able to create or delete tables. You can even specify permissions for the user on table and column level.
We are using Java + H2 Database in server mode, because we do not want users from accessing database file.
All database users created by admin are regular users (not admin). Is there any other possibilities for those regular users to get the database content? I have tried SCRIPT and BACKUP command, and failed because they require admin privilege. That's nice :)
Is making users not admin is enough to protect users from dumping database content?
More, is making application user = database user, a good security practise? Previously, for authentication, we use custom 'users' table in the database, not the database user.
Thank you.
Is there any other possibilities for those regular users to get the database content?
No. That's the point of database users and rights, so that a user can only access the data he is allowed to.
Is making users not admin is enough to protect users from dumping database content?
Yes.
is making application user = database user, a good security practise?
Yes, if the client application has access to the database (over TCP/IP).
Previously, for authentication, we use custom 'users' table in the database, not the database user.
This is a common solution for web applications and other 3-tier systems (where the user doesn't have access to the database).