• Post Reply Bookmark Topic Watch Topic
  • New Topic

Security of JDBC vs webservices in an application  RSS feed

 
Raymond Holguin
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a client-server type of application. My dilemma is trying to figure out how to access the server data from the client application. I have read about the con's of using JDBC connections in the client in that you hardcode credentials, you have to expose your server DB to the public, etc.

My environment has it such that this application will only be deployed at certain computers, so its not a situation where anyone in the world will be downloading this app. Though those specific computers could be potentially used by all sorts of people. So at the firewall level and DB level I can only allow access to those specific IP's (Yes I know IP's can be spoofed). So for me, a work around would that I could use JDBC, but just limit the access that user account has at the DB level by explicitly specifying read/write access to the various tables.

The other options is to have some webservices at the server level and the client can just call those services to read/write data. My issue is that I don't necessarily see a difference in security, since I am still going to have to hardcode some sort of credentials into the client to authenticate access to the web service. So if anyone tries to breakdown the code they will be able to access my webservice read/write calls. So I appear to be back at square one.

For me I am not sure I see a difference in one method being better/worse than the other security wise. At the end of the day I am still hard coding some login credentials that can potentially be compromised. Implementation wise, JDBC would be easier I think so I don't have to build the whole web service infrastructure. Can anyone give me some more insight about this topic and perhaps fill me in on some issues I may be overlooking?
 
Claude Moore
Ranch Hand
Posts: 924
9
IBM DB2 Java Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think that there's no way to protect absolutely a system available to undefined subjects. Credentials may be stolen in a number of ways. Maybe the more practical - not secure, just practical - approach is adopting a webservices. At least i think it would be easier to monitor accesses.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!