I am creating an application and I need to connect to a database. The database requires login/password so the application can do operations like select and insert.
我正在创建一个应用程序,我需要连接到数据库。数据库需要登录/密码,因此应用程序可以执行select和insert等操作。
In the application I need to connect to the database using login and password, so the application is free to do some tasks on the database. My question is: how do I store and use a password to connect to the database without exposing the password?
在应用程序中,我需要使用登录名和密码连接到数据库,因此应用程序可以*地在数据库上执行某些任务。我的问题是:如何在不泄露密码的情况下存储和使用密码连接数据库?
I can't simply use a hash or encryption to store the password because the database must recognize the password (I think most or all databases must receive password as plain text).
我不能简单地使用哈希或加密来存储密码,因为数据库必须识别密码(我认为大多数或所有数据库必须以纯文本形式接收密码)。
.
。
.
。
Note: The connection is made by the application. No human input to do the connection.
注意:连接由应用程序进行。没有人工输入来进行连接。
(Edit)More info about the application: it is a web application using servlets/jsp. The database is on the same server of the application. The user for the application is a default user without complete admin powers, but it may insert/delete rows and do most things that involve queries and data modification in tables.
(编辑)有关应用程序的更多信息:它是一个使用servlets / jsp的Web应用程序。数据库位于应用程序的同一服务器上。应用程序的用户是没有完全管理员权限的默认用户,但它可以插入/删除行并执行涉及表中的查询和数据修改的大多数操作。
4 个解决方案
#1
10
The usual way this is done is to externalize the username/password to a property/config file which is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).
通常的做法是将用户名/密码外部化到在运行时读取的属性/配置文件(无论您是否使用本机JDBC / JNDI / CDI / J2EE数据源/等)。
The file is protected via the O/S security by the sysadmins.
系统管理员通过O / S安全保护该文件。
The O/S has better tools for protection than app code.
O / S具有比应用程序代码更好的保护工具。
#2
7
You should use a config file for this. use spring with JDBC to make your life easier!
您应该使用配置文件。使用带JDBC的spring,让您的生活更轻松!
http://www.youtube.com/watch?v=f-k823MZ02Q
http://www.youtube.com/watch?v=f-k823MZ02Q
Checkout the above awesome tutorial on the Spring framework and using JDBC. Watch all of his JDBC and spring tutorials. BTW, he covers how to store passwords in config files and wire beans etc.. Hope this helps.
查看关于Spring框架的上述精彩教程并使用JDBC。观看他所有的JDBC和spring教程。顺便说一句,他介绍了如何在配置文件和线程bean等中存储密码。希望这会有所帮助。
#3
6
You can use jasypt for the encryption.And store the username and password to datasource.properties file.
您可以使用jasypt进行加密。并将用户名和密码存储到datasource.properties文件中。
public Connection getConnection() throws IOException{
try{
BasicTextEncryptor encryptor = new BasicTextEncryptor();
encryptor.setPassword("jasypt");
Properties props = new EncryptableProperties(encryptor);
props.load( this.getClass().getResourceAsStream("datasource.properties") );
String driver = props.getProperty("datasource.driver");
String url = props.getProperty("datasource.url");
String userName = props.getProperty("datasource.userName");
String password = props.getProperty("datasource.password");
Class.forName(driver);
Connection conn = DriverManager.getConnection(url, userName, password);
conn.setAutoCommit(false);
return conn;
} catch(ClassNotFoundException e) {
e.printStackTrace();
return null;
} catch(SQLException e) {
e.printStackTrace();
return null;
}
}
#4
4
If it's a web app, deploy it on a Java EE app server and connect using a JNDI resource. Only the admin who set up the JNDI data resource needs to know about the credentials needed to connect. Users and developers don't even have to know them; just the JNDI lookup name.
如果它是Web应用程序,请将其部署在Java EE应用程序服务器上并使用JNDI资源进行连接。只有设置JNDI数据资源的管理员才需要知道连接所需的凭据。用户和开发人员甚至不需要了解它们;只是JNDI查找名称。
It's not possible to completely eliminate the need for someone besides the database owner to know the username and password, but it is possible to restrict that knowledge to the app server owner.
除了数据库所有者之外,不可能完全消除对知道用户名和密码的需求,但可以将该知识限制在应用服务器所有者。
You are also well advised to create separate credentials just for that application and GRANT it the minimum access and permissions needed to accomplish its tasks. There should be no knowledge of system tables or any other resources outside the province of the application. IF DELETE permission isn't necessary, don't grant it. If access should only be read only, that's what you should GRANT to that credential.
建议您仅为该应用程序创建单独的凭据,并授予其完成任务所需的最低访问权限和权限。应该不了解系统表或应用程序省外的任何其他资源。如果不需要DELETE权限,请不要授予它。如果只能读取访问权限,那么您应该获得该凭证的权限。
#1
10
The usual way this is done is to externalize the username/password to a property/config file which is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).
通常的做法是将用户名/密码外部化到在运行时读取的属性/配置文件(无论您是否使用本机JDBC / JNDI / CDI / J2EE数据源/等)。
The file is protected via the O/S security by the sysadmins.
系统管理员通过O / S安全保护该文件。
The O/S has better tools for protection than app code.
O / S具有比应用程序代码更好的保护工具。
#2
7
You should use a config file for this. use spring with JDBC to make your life easier!
您应该使用配置文件。使用带JDBC的spring,让您的生活更轻松!
http://www.youtube.com/watch?v=f-k823MZ02Q
http://www.youtube.com/watch?v=f-k823MZ02Q
Checkout the above awesome tutorial on the Spring framework and using JDBC. Watch all of his JDBC and spring tutorials. BTW, he covers how to store passwords in config files and wire beans etc.. Hope this helps.
查看关于Spring框架的上述精彩教程并使用JDBC。观看他所有的JDBC和spring教程。顺便说一句,他介绍了如何在配置文件和线程bean等中存储密码。希望这会有所帮助。
#3
6
You can use jasypt for the encryption.And store the username and password to datasource.properties file.
您可以使用jasypt进行加密。并将用户名和密码存储到datasource.properties文件中。
public Connection getConnection() throws IOException{
try{
BasicTextEncryptor encryptor = new BasicTextEncryptor();
encryptor.setPassword("jasypt");
Properties props = new EncryptableProperties(encryptor);
props.load( this.getClass().getResourceAsStream("datasource.properties") );
String driver = props.getProperty("datasource.driver");
String url = props.getProperty("datasource.url");
String userName = props.getProperty("datasource.userName");
String password = props.getProperty("datasource.password");
Class.forName(driver);
Connection conn = DriverManager.getConnection(url, userName, password);
conn.setAutoCommit(false);
return conn;
} catch(ClassNotFoundException e) {
e.printStackTrace();
return null;
} catch(SQLException e) {
e.printStackTrace();
return null;
}
}
#4
4
If it's a web app, deploy it on a Java EE app server and connect using a JNDI resource. Only the admin who set up the JNDI data resource needs to know about the credentials needed to connect. Users and developers don't even have to know them; just the JNDI lookup name.
如果它是Web应用程序,请将其部署在Java EE应用程序服务器上并使用JNDI资源进行连接。只有设置JNDI数据资源的管理员才需要知道连接所需的凭据。用户和开发人员甚至不需要了解它们;只是JNDI查找名称。
It's not possible to completely eliminate the need for someone besides the database owner to know the username and password, but it is possible to restrict that knowledge to the app server owner.
除了数据库所有者之外,不可能完全消除对知道用户名和密码的需求,但可以将该知识限制在应用服务器所有者。
You are also well advised to create separate credentials just for that application and GRANT it the minimum access and permissions needed to accomplish its tasks. There should be no knowledge of system tables or any other resources outside the province of the application. IF DELETE permission isn't necessary, don't grant it. If access should only be read only, that's what you should GRANT to that credential.
建议您仅为该应用程序创建单独的凭据,并授予其完成任务所需的最低访问权限和权限。应该不了解系统表或应用程序省外的任何其他资源。如果不需要DELETE权限,请不要授予它。如果只能读取访问权限,那么您应该获得该凭证的权限。