I have simple server-client application that uses JDBC to connect to database and things works ok. Application does few simple things with JDBC connection (get data, insert new line and few others).
Now, I would like to keep the same application but use it outside of firewall - so, I would put something else on some host:port (and open that port to outside world) - instead of JDBC opening database access directly.
I guess that this problem is faced many many times and sure there are a lot approches.
One way can be doing servlet on one side, accessing it on client side.
I guess, I haven't touched Spring yet, maybe another would be to do POJO Java Class and using Spring configure it as http service.
I have heard also "rumors" that Jetty has something that can help in this case (to minimaze coding on server and client side)
I would prefer something that:
- is not complicate (easy learning path)
- reuse something that is already done.
What approach would you recommend ?
Thank you and regards,
Igor
The normal approach would be to implement a web service, which can be pretty easy these days with Axis etc.
You really don't want to open direct JDBC to clients outside a firewall by tunnelling over HTTP... the server should strictly control what kind of interaction takes place with the database.
I would recommend using something like SSH tunnels to carry your JDBC connections through the firewall. Set up a tunnel on the DMZ machine on whatever publicly open port your can, and connect the other end of the tunnel to the appropriate port on the DB server.
Then just change your JDBC connection settings to connect to the tunnel machine's public port and it will transparently end up communicating with the database as usual, while passing through the firewall via the accepted port.
If this is an IT policy problem, in that they won't let you directly access the database, then you would need to work out what you are allowed to do and work with that as far as possible. Changing JDBC to another access method is unlikely to be acceptable to the IT policy in this case.
Edit: after reading Jon's answer, he may be right. I was assuming that the issue was the connection between your server/webapp, and the database server. If you were talking about the client creating direct JDBC connections to the database, then yes - firewall or no, this is very bad practice. The client should talk to your server to ask for what it wants, and your server should do the DB queries as required to get the information.
I think that would just be an unnecessary complication. Your DBMS (usually) brings access control and transport layer security. If you introduce your own layer, are you sure that you can make it safer than a direct connection to the DB?
I see your rationale, but if there isn't a framework to do this, avoid building your own! For example, PostgreSQL comes with a bunch of nifty options to tie things down. For example, require SSL certificate-based authentication on the transport level (clients must present a cert that the server checks), or IP-based access.
Of course you still have to trust your DBMS implementation to get basic details like access control right (= "uncrackable"), but you still need to rely on this anyway after the black hats have broken into your web-proxy ;)
#dtsazza: Maybe edit your answer to include the keyword "VPN"? ssh tunnels probably scale badly outside of a private setup.
Volker
Related
I am trying to figure out how to connect to an oracle database located in sql developer, using java in eclipse. I have been looking online and have found responses like this one java connect to backend explanation which give a detailed step by step on how to connect.
However I was also reading about using PuttY/tunneling, which the link that I showed above does not talk about. How do I know if PuttY has to be used? For context, the oracle sql developer database is a database that belongs to my company
Hypothetically, you could SSH tunneling if you want to connect to a server that is behind a firewall that blocks the database port, or on a private network that your network cannot route to.
Another possible use-case might be to provide an encrypted channel for your database connection to protect the data against snooping (or worse) by a third party. (But there better ways to do that; e.g. using a VPN, or an SSL connection to the database.)
Generally speaking, SSH tunneling of database connections is something you do when other approaches are not available or won't work.
Total Crystal/EJB/JNDI noob so please be considerate :) I don't have any source codes to post (yet) because I don't know enough about these 3 combined to post anything meaningful.
Anyway...
I am maintaining an application that uses EJB3 and JNDI to connect to the DB for my Crystal reports. Now, due to our requirements, we need to ensure that the communication between the app and the DB is secure (e.g. encrypted). How should this be done?
I've been seeing discussions on using security domains, JAAS and roles (like this one), but from what I'm seeing, that's going to force me to put annotations on every method that's concerned with connecting to the DB, not to mention define roles for users (which is not needed at this point). Then there are those saying it's just a matter of configuring my application server (in this case, it's JBoss) or putting a transport-guarantee in my web.xml (e.g. CONFIDENTIAL).
What's the best approach (or do you think that this is redundant/unnecessary)? Any help or hints on where to start would be really appreciated as I don't really see how to tackle this.
Thanks in advance!
You have 2 options:
IPsec
The first option is a OS-level encryption. All network traffic between host endpoints are encrypted. You will need to configure the OS of both the APP and DB servers for IPsec.
encrypted JDBC connection
In this option, only the JDBC network traffic between the database server and client is encrypted. On the DB server side, you'll need to configure your database server to SUPPORT or REQUIRE encryption. On the client side, you need to configure your JDBC connection properties to use encryption. The exact configuration and path for the SSL keys are dependent on the database that you are using.
The 2 options are not mutually exclusive and you can implement both at the same time but I think that is an overkill.
For the past few weeks, I have been scouring the internet, the minds of computer programmers, and just a few random people over the situation I am looking to overcome. Basically, what I am trying to do it write a AntiJoinBot "plugin" (if you will) for the popular game Minecraft. This would be like all others in respect that it blocks IPs based on if they are using a proxy or not, but this AntiJoinBot is running on a different VPS than the actual server.
This is the best graph I can make of the situation (it's not that good):
(non-minecraft server) Connection -> Proxy check -> Redirect to the
server -> Minecraft
The only problem is, I need to be able to redirect the IP and close the connection so that the player's real IP is the one that would connect to the server. If the connection is not able to be closed, it would cause real problems due to some of the plugins we are running.
If you have a solution or a better way to do this, please help me.
Redirection of connections along the lines that you want requires support from the (application) protocol. TCP/IP does not support it. AFAIK, SOCKS does not support it either. Unless the Minecraft application protocol (and by implication, Minecraft clients and servers) include support for redirection, you are out of luck.
(FWIW - that's how HTTP redirection works. HTTP has a "protocol element" that allows the server to tell the client to redirect, and where to redirect to. The client then resends the original request to a new address.)
But that doesn't mean that you can't deal with the pests. It just means that the redirection approach is not viable. Try a custom proxy or an IP filter / redirector instead.
You are trying to save the server's resources on the cost of increase Traffic.
I am not sure with the answer but may be by looking into the concept of LBS(Load Balancing Server) you may find the answer.
LBS is purely defined and controlled by us so you can manage the resources of two servers using one load balancing server.
I need to test a functionality internal to my company's server whose benefit is evident only when clients run slow (as of latency and packet loss). To that extent, I need to simulate clients on a slow and/or lossy connection (TCP/HTTP). I'm using a Mac, Mountain Lion, and ideally I'd need to run both server and client locally.
One approach I tried to pursue -- unsuccessfully -- was to get hold of some java APIs that allow me to build clients with slow connections. I know JMeter has got something called SlowSockets (or something similar), but I was looking for APIs more focused on slow-performing clients. Any ideas of useful APIs?
Another approach I tried consisted in using a proxy to act as a middleman between client and server. In that case, the proxy should provide functionalities for simulating slow links. I've tried Charles proxy (Mac) and Apache TCPMon, however I seem to miss something when I try to get them at work. With TCPMon, for instance, when I start it in 'Proxy' mode (which is the mode that offers the 'simulate slow link' functionality) I define port for the local proxy, but I can't see how to define the remote host and port. Something similar happens with Charles Proxy; I can set the local port in the Proxy settings, but I can't understand how to define the remote end of the proxy (in fact connections fail saying the remote server is not responding). Anyone having ideas what I'm doing wrong?
One further approach I have tried to pursue is by using lower-level (e.g. OS-based) means; in this case, I tried Apple's Network Link Conditioner. I switched it on and defined my slowness parameters, but when I ping I don't seem to see the expected RTT etc. I've got a feeling NLC has a tight relationship with XCode and iOS testing, anyone capable of putting it at work for testing other (e.g. Java) applications? I've also tried ipfw on Mac, however the manual says ipfw is now deprecated and I don't want to dedicate time to get to know a tool that won't be available soon.
Any idea/help will be highly appreciated.
Thanks in advance.
I would like to use some JMS (Java Message Service) library, ActiveMQ or FFMQ, but need to run it over SSH protocol. I have started implementing my own connection factory method of ActiveMQ, but then the idea of implementing Socket/SocketFactory interfaces over SSH has struck me. It would let me adapt pretty much any JMS implementation without really touching its code. As usual, somebody has already had this idea and I have found couple implementations of this approach.
http://svn.apache.org/repos/asf/pig/trunk/lib-src/shock/org/apache/pig/shock/SSHSocketImplFactory.java
http://benkstein.net/java/SSHSocketFactory/javadoc/
The first one is a class somewhere in the guts of Apache Pig. The second is a hack/addon for MySQL client, published by Frank Benkstein in 2004. It appears that MySQL community was not interested in it (http://www.webservertalk.com/archive277-2004-7-294282.html).
I wonder if there are other implementations of SocketOverSsh factory, possibly better documented/supported?
Update: My primary motivation is to avoid having additional open ports or configuration changes both on the client and the server. So SOCKS or plain port forwarding are not desirable solutions.
This looks a bit heavy-weight. Have you considered finding a solution using the SOCKS protocol? An ssh-client can act as a SOCKS proxy by e.g. invoking it with "ssh -D ". The good thing is that the JVM already knows how to use SOCKS automatically for network connections. Of course the cave-at is that the ssh-connection would be established outside of the Java app.