• Post Reply Bookmark Topic Watch Topic
  • New Topic

Is there any framework to have a secure connection between our Java web app and DB?  RSS feed

 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi everyone

I'm confused and wish you can help me. :|
I know J2SE and now I want to write a java web app.
My project features are:
1- it has many clients. so.. I should moderate concurrency
2- The clients have different access levels.
3- there is some files that admin should use the program and load them to database. I worked with SQL server already and I'm expert in it, I can choose the DB, myself. Is SQL server, suitable??
4- users can get view form DB, by entering some values like date.
and etc.

As I realized, I should know J2EE. I started Headfirst Servlet and JSP and I'm in chapter 5.
I think I should use Proxy Pattern to control access and have a log that each user do what?!
I don't know how to connect to DB... and... many other Questions :|

as you are expert in java programming, would you help me?
I want to know am I choose the right way our not.. with these features?! and is there any framework that provide me security and convenience?

thanks
 
K. Tsang
Bartender
Posts: 3648
16
Firefox Browser Java Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch

To connect database in java, you use JDBC driver. For web and enterprise apps, you can set up a connection pool on the app server (eg Tomcat or JBoss or Glassfish) and use JNDI to look up the database connection.

From the database perspective, concurrent access should not be an issue. Yet performance may.

 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear K. Tsang, Thank you

it means that I should use JDBS Something... like this?! :




 
K. Tsang
Bartender
Posts: 3648
16
Firefox Browser Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yup that's look right.

 
James Boswell
Bartender
Posts: 1051
5
Chrome Eclipse IDE Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A tutorial on JDBC should be useful.

JDBC Basics
 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks K. Tsang and James Boswell.

Something else... Isn't it better to use spring MVC framework?!
I don't have any Idea about that! but when I download spring and see the IDE, I get it like eclipse IDE!! the same interface... I made a dynamic web project... and go on!

emm... now.. I'm reading about it.

is it useful for me?! or it's better to lay it away...
 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I mean for the first part... The MVC part...
 
James Boswell
Bartender
Posts: 1051
5
Chrome Eclipse IDE Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is never a good idea to learn a framework like Spring without an understanding of what is going on in the libraries which the framework hides away from you.

Spring is something that you can learn later, once you have mastered the basics. An employer (at least, a sensible one) will always choose a candidate with solid experience using core Java (standard and enterprise) over someone who exclusively uses the likes of Spring and Hibernate.
 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
actually I thought that I should use Spring MVC for the first part and Hibernate for connecting to DB... to obtain the security.
so... without using frameworks, would the security be obtained?

as I know.. one of the purposes of using frameworks is because of this...

 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Some say that it is better to use an ORM framework such as Hibernate/JPA than to use raw JDBC. For large-scale apps, an ORM can often provide better performance (Your Mileage May Vary). From a manager's point of view, an ORM means that relatively little SQL expertise is required, since a lot of the nastier join operations are simple POJO properties. From a practical-experience point of view, it's no free lunch, since when things don't work right it can be a major pain figuring out what's wrong. As the esteemed Mr. Boswell has noted, it's still useful to know the underlying principles.

Moving on to general performance: an enterprise-grade webapp should use a connection pool, and frameworks such as Hibernate are usually used with connection pools. The advantage of a pool is that instead of constantly creating and destroying Connections to the database, Connections are kept in the pool, borrowed just-in-time, and released to the pool for other threads to use. Creating new Connections from scratch can be a lot more overhead.

Then there's security. First of all, general connectivity to your database server. If you want encrypted traffic between your webapp (Connection pool) and the database server, you have to have a JDBC driver that can handle such things (usually meaning that also you need a database that can handle encrypted connections). And you have to configure the driver parameters (pool definition) to use the encrypted transport. As for SQL Server, that's fine, as long as your database is only going to run on Windows machines. If there's a chance that you might be hosting it on Linux, BSD, Solaris, MacOS, or something similar, pick an OS-independent DBMS such as MySQL/MariaDB, PostgreSQL or something like Oracle or DB2.

Now on to user-specific security. For actual application security, J2EE/JEE have a built-in security system that is light-years better than what any shop which doesn't employ full-time software security specialists is likely to be able to come up with. You can make it more fine-grained by augmenting it with Spring Security. Spring Security does not require Spring MVC to be used. It works with any J2EE app framework, including none at all.

Note, however, that there is one security "gotcha". One of the characteristics of a pooled object is that every object in the pool MUST be just like every other object in the pool. That means that you cannot pair application user and database user to select database-side security attributes. All pool connections use a common user ID, whose security properties must be the Greatest Common Denominator of all security properties in the webapp. That means that if app user A can do "Alpha" and app user B can do "Beta", then database connection user "DB" must have "Alpha+Beta" security privileges. It is therefore very important to find out what that GCD privilege set must be. And the webapp itself is responsible for ensuring that user A doesn't do any "Beta" operations.
 
Shadi Mehrabadi
Greenhorn
Posts: 12
Android Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ehmmmm...

thanks Mr. Tim Holloway for your description, It was so high and it made me so happy.

so... it's better for me, the beginner, to use J2SE and J2EE, the core. because I'll have so many bugs and it'll be easier for me to solve them if I use the core, not frameworks' libraries. and for me... the beginner, it's better to rely on J2EE self security than taking Big stone that will make me tired, emmm.... the question is... later... for example 6 moths later, is it possible to change the program using frameworks?! or it'll be so hard and time-consuming to add spring security to my J2EE app?!

as Mr. Tim Holloway said, I should use MySQL, because the server's OS is linux.

about the last paragraph... actually I didn't understand what you mean... "That means that you cannot pair application user and database user to select database-side security attributes."... where will it be happened?!...

sorry about these greenhorn Questions, I don't have any idea about what these frameworks are. I never work with them, I just know they prepare some functions and library that we can use them in out programming!!!

thanks and have a pleasure life, guys
 
Tim Holloway
Bartender
Posts: 18715
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
shadi me wrote:
about the last paragraph... actually I didn't understand what you mean... "That means that you cannot pair application user and database user to select database-side security attributes."... where will it be happened?!...


Because the database privileges must be the Greatest Common Denominator of all the privileges that the webapp itself requires, it is up to the webapp to ensure that its users cannot invoke webapp functions that would allow them to do forbidden things. For example, if I had an app which had a "set password for user" function, I would probably restrict that function to only users serving in the "administrator" security role. Thus, although the database user for the Connection Pool would have to be allowed to update the password table, the only webapp users that would be able to run the code that actually did the password update would be administrator users.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!