Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

CMP vs. BMP concerning encrypted data

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Everywhere I keep reading "you should [almost] never have to use BMP with EJB 2+ [if you have a realational database]" or some version of that advice.

But I keep wondering, what if some application data is almost guaranteed to be encrypted in the persistent store, using either one- or two-way encryption? For example, MySQL's PASSWORD() function is a fairly common one-way encryption mechanism for passwords, and many other 2-way encryption algorithms can be used to cipher credit card numbers or other legally-sensitive information.

If I want an entity bean to represent objects with sensitive, more-than-likely-encrypted-in-the-persistent-store data fields, what's the best way to approach this? Use a BMP bean that harnesses the ease of using decryption methods in the actual SQL code? Or use a CMP bean wrapped with a session facade (like a DecryptorFactory of some sort) that can make sense out of the encrypted data?

What's the best way to do this and keep the ejb-jar portable across different database implementations? Is there any way to achieve one-way encryption with java? This has been bugging me for a long time. If anyone has any best practices or good ideas, please share, thanks!
 
Ranch Hand
Posts: 209
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dan,

You could encapsulate all required logic in your CMP EB. Eg,



As you can see in the example we decrypt the password extracted from db. Same could be done with storing the password into db (would be encrypting first and then saving into db)

Oh, yeh. In regards to one way encryption in java. Check out the following:


Hope it helps,


[ August 13, 2004: Message edited by: Alex Sharkoff ]

[ August 13, 2004: Message edited by: Alex Sharkoff ]
[ August 13, 2004: Message edited by: Alex Sharkoff ]
 
Dan Ludwig
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I found some other docs on doing the SHA and MD5 encryption using MessageDigest, and your above example works great if that's how the data is encrypted. I still think an environment entry might be necessary though, to be able to configure the encryption method at deployment time (one which would work with some kind of MessageDigestCryptionFactory) depending on the database.

However, what I'm looking for here is more of an answer to the portability issue. What if the persistent store uses an encryption algorithm other than SHA or MD5? Do I need to become a cipher expert if I want my CMP bean to work with several different database vendors, and work with existing data (that for example I, as the Bean Provider, cannot suggest encryption policies for)?
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic