• Post Reply Bookmark Topic Watch Topic
  • New Topic

Servlets - How secure are they?  RSS feed

 
Subbu Aswathanarayan
Ranch Hand
Posts: 73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I was wondering how secure servlets are.is it possible to get hold of a servlet's class file?
i will be more specific.i have written a servlet for user authentication.it queries a database to find out if the login and password exist.my question is, since i am opening connection to the database, querying it all in the servlet, if a person gets a copy of my servlets class file,he will be able to find out my database structure and my database login and password.and this is not very desirable.
what are the chances that a user can get the class file?i know beans would have been a much better and wiser option, but i dont want to change my whole code again.
i appreciate any help.
Subbu
 
Matt Gregory
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not how secure the servlet is, through normal operation it's pretty hard to get the servlet code from the server. If your system is insecure however then they can get the class and/or source files off the server.
If you like, you could obfuscate the portion of code containing the login and password and that would make it much much harder for someone who actually did get the class to decompile it and get your db username/password.
If your database is set up properly then remote access to it by any user who does get the username/password would be denied. This however is unlikely to help since if they do get the class then chances are they have shell and possibly root on the box and can use telnet to mess with your data.
So, in a roundabout way, I'm saying that servlets are safe as long as the box is safe.
As far as obfuscating your username password in the code I once coded the username/password for database access inside of an applet (just for kiks) and RSA encrypted it. The private and public keys were both stored on the server inside of a servlet and obfuscated by having a character array built out by several classes which contained the passkeys. Once converted back into prime numbers these keys could be used to decrypt the username/password and then connect to the database. (if you're wondering this was because each instance of the applet had a different username/password based on the client). It wasn't blazingly fast but it was about as secure as you could make the mockup.
-hope this helps: Hoopy
 
saurabh pathak
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hello subbu,
Whatever you have mentioned regarding security aspects of servlets ,Ihave to ask one question that why u r not using web server security features for it. For example your database name and password ,their is no need to hard code this in ur servlet program instead of it you can pass these using config parameters ie by using ServletConfig object and second thing if u r using tomcat or weblogic server u have facility to define your own context bec defining your contexts is much secured way.
thanks
saurabh

 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!