• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Design Issues

 
Alec Lee
Ranch Hand
Posts: 569
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have some design issues related to security. Hope somebody can share their experience.

If I code my JDBC clients so that they will directly issue UPDATE/INSERT/DELETE to the database (I am using Oracle), that means in Oracle I have to grant direct access rights on the tables to the JDBC account. But, I am not comfortable with this approach. In JDBC, we somehow have to provide the password in the URL in plaintext. And I think we cannot trust the JDBC account is secure.

A more secure way I can think of is to move the tables to another account, and only expose store proc to the JDBC client. This can limit the kind of UPDATE a client can do and only those update logic provided by the store proc is available. However, by looking at the post in this forum, most of the approaches I see are to issue direct SQL update/insert/delete to the tables. I am just wondering if they are base on some better and secure approach I didnt realize.

Hope someone can clarify my concern.
 
saravanan kanda swamy
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

The security aspects are depends upon the type of the client that you expose to the users.

Is it a normal Java Program or is it an applet or is it an web application.

There are several scenarios for each of it. In general they wont set the user id and password in the Java program. They will set in the Properties file or XML file which will be in the Application server. That the user can't be able to access.

I found few links regarding the security aspects hope that helps !!

http://java.sun.com/j2se/1.3/docs/guide/jdbc/spec/jdbc-spec.frame5.html

There is a list of examples from the Oracle site itself for their Applcation Server.

http://www.oracle.com/technology/sample_code/deploy/security/9i_security.html

http://www.oracle.com/technology/sample_code/deploy/security/files/secure_thin_driver/readme.html

Thanks and Regards,
Saravanan.K
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Alec,
If you are using an application server, you can create a datasource. Then the app server will encrypt the password.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic