我怎样才能安全地(间接)查询中的Android PostgreSQL数据库? [英] How can I securely (indirectly) query a postgresql database within android?
问题描述
目前的解决办法,我不得不采取使用JDBC和商店的Android应用程序的内部数据库的用户名/密码。这是就我而言并不是一个很好的解决方案。我想实现的中间Web服务器映射层。
The current solution that I have to adopt uses JDBC and stores the user/password of the database inside the android app. That's as far as I'm concerned not a good solution. I would like to implement a mapping layer on the webserver in the middle.
有没有最好的做法或推荐的策略呢?我应该使用SOAP或JSON或完全不同的东西(因为他们是很好的实施和/或容易在Java中使用)? 是否有任何制图工具PostgreSQL的<? - > SOAP / JSON /不管在PHP或将我需要通过自己编写这些脚本
Is there any best practice or recommended strategy for this? Should I use SOAP or JSON or something completely different (because they're well implemented and/or easy to use in Java)? Are there any mapping tools for postgresql <-> SOAP/JSON/whatever in PHP or will I need to write these scripts by myself?
任何指针将大大AP preciated。
Any pointers will be greatly appreciated.
推荐答案
使用您控制(有可能,但不一定是数据库主机)公共主机上运行中层衣的Web服务。揭露公共Web服务方法,你要允许,没有别的了有限的工作。
Quick version:
Use a web service midlayer running on a public host you control (possibly but not necessarily the database host). Expose public web service methods to do the limited work you want to permit and nothing else.
- JDBC驱动程序的PostgreSQL与Android
- <一个href="http://stackoverflow.com/questions/5001066/how-to-connect-to-a-postgresql-server-via-jdbc-in-android">How通过JDBC在Android的连接到PostgreSQL服务器?
- Driver JDBC PostgreSQL with Android
- How to connect to a PostgreSQL server via JDBC in Android?
我个人会使用如的Apache Tomcat 或的 JBoss应用服务器7 ,然后我会写使用 JAX-RS 来制作我的Web服务方法我的应用程序一个很好的REST风格的API来使用。这就是我熟悉的,它工作得很好,但你有很多的选择,包括的实现:
Personally I'd use a Java application server like Apache Tomcat or JBoss AS 7 and I'd write my web service methods using JAX-RS to produce a nice REST-style API for my app to use. That's what I'm familiar with and it works well, but you have lots of options including implementations of:
-
REST的API的(Java的JAX-RS impls新泽西州和RestEasy的,其他各种LANGS工具)使用的HTTP请求,并产生JSON或XML的答复。
REST-like APIs (Java's JAX-RS impls Jersey and RESTEasy, various other langs tools) that use HTTP requests and produce JSON or XML replies.
SOAP使用WSDL,经典的Web服务层。在Java中与JAX-WS进行中的其他选项。大多数语言有SOAP + WSDL的工具,但它是一种用蹩脚特别是在间歇连接像移动设备一起使用。
SOAP with WSDL, the classic "web service" layer. In Java done with JAX-WS among other options. Most languages have tools for SOAP+WSDL but it's kind of crappy to work with especially on intermittently connected devices like mobiles.
XML-RPC,如果你喜欢疼痛
XML-RPC if you like pain
有一些JAX-RS 快速入门上的 JBoss应用服务器7快速入门列表;只要搜索JAX-RS。在<一href="https://docs.jboss.org/author/display/AS71/Getting+Started+Developing+Applications+Guide#GettingStartedDevelopingApplicationsGuide-CDIJSFEJBJTABeanValidationJAXRSArquillian%3aKitchensinkquickstart">kitchen沉快速入门是非常有用的,虽然也许不是理想的,如果你不熟悉与JBoss的基础知识7和java的EE 6堡JAX-RS的细节,你最好用球衣或RestEasy的教程像这个或的这个。
There are some JAX-RS quickstarts on the JBoss AS 7 quickstarts list; just search for "JAX-RS". The "kitchen sink" quickstart is useful, though perhaps not ideal if you're not familiar with the basics of JBoss AS 7 and Jave EE 6. Fort the JAX-RS specifics you're better off with a Jersey or RESTEasy tutorial like this or this.
如果可能,请使用HTTPS,如果访问不被公众使用如HTTP基本认证通过HTTPS合适的HTTP认证方案。任何像样的Web服务实现将提供身份验证选项,或者支持那些在其上运行的平台。避免在Web服务层来实现自己的身份验证和用户管理的诱惑,你的将会的搞砸了;使用身份验证,在这已经编写和测试HTTP层。这可能需要使用像Apache的 mod_auth_pgsql 时,JBoss AS 7的JDBC安全领域,等等。我认为没有做正确的每个用户的HTTP认证的唯一情况是我不需要分开我的用户为了安全起见,我只关心它是我的应用程序访问服务器,也就是说,如果我的安全要求是相当薄弱。在这种情况下,我会使用一个固定的用户名/密码为整个应用程序和可能的X.509客户端证书,如果Android支持他们。
Use HTTPs if possible, and if access isn't to be public use a suitable HTTP authentication scheme like HTTP Basic auth over HTTPs. Any decent web services implementation will offer authentication options or support those of the platform on which it runs. Avoid the temptation to implement your own authentication and user management at the web services layer, you will screw it up; use the auth at the HTTP layer that's already written and tested. This may require the use of something like Apache's mod_auth_pgsql, JBoss AS 7's JDBC security realms, etc. The only case I'd consider not doing proper per-user HTTP auth is where I don't need to separate my users for security reasons, I only care that it's my app accessing the server, ie if my security requirements are quite weak. In this case I'd use a fixed username/password for the whole app and possibly an X.509 client certificate if Android supports them.
请记住,无论你如何安全的东西,所有的凭据是已知的用户,也可以平凡从中提取一个.apk文件,所以你还是得承担任何人都可以访问您的Web服务方法,不只是你的应用程序。因此把它们写。
Remember that no matter how you secure things, all credentials are either known to the user or can be extracted trivially from a .apk so you still have to assume anybody could access your web service methods, not just your app. Write them accordingly.
你的没有的只是发送SQL从你的应用程序通过Web服务调用服务器并返回结果为JSON。这是horrifyingly不安全的,还有丑陋的和笨重。编写Web服务方法为你想要的应用程序,以能够执行并保持SQL服务器中的每个单独的任务。请记住,使用参数化查询和小心其他的SQL注入风险。这些Web服务方法可以使用一个或多个查询来产生一个单一的答复 - 例如,你可以收集客户记录和所有相关的地址和联系记载,然后返回结果在一个不错的JSON对象的Android设备可以消耗,节省了大量的缓慢和不可靠的网络往返。
Do not just send SQL from your app over a web service call to the server and return the results as JSON. This is horrifyingly insecure, as well as ugly and clunky. Write a web service method for each individual task you want the app to be able to perform and keep the SQL in the server. Remember to use parameterised queries and be careful of other SQL injection risks. These web service methods may use one or more queries to produce a single reply - for example, you might collect a "Customer" record and all associated "Address" and "Contact" records then return the result in a nice JSON object the Android device can consume, saving numerous slow and unreliable network round trips.
不管你用什么,一定要在后台工作线程做你的Web服务调用,而不是阻止用户界面。是ppared为超时和错误$ P $,和用于需要重试。测试你的应用程序通过模拟间歇性连接丢失,高延迟和丢包率很高,并确保它仍然是可用的。
No matter what you use, make sure to do your web service calls in a background worker thread and not to block the user interface. Be prepared for timeouts and errors, and for the need for retries. Test your app by simulating intermittent connection loss, high latency, and high rates of packet loss and make sure it remains usable.
这篇关于我怎样才能安全地(间接)查询中的Android PostgreSQL数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
