如何避免存储凭据以使用JDBC连接到Oracle? [英] How to avoid storing credentials to connect to Oracle with JDBC?
问题描述
是否可以在不向配置文件(或任何其他标准可读位置)提供用户名/密码信息的情况下建立与Oracle的JDBC连接?
Is it possible to setup a JDBC connection to Oracle without providing username/password information in a configuration file (or in any other standard readable location)?
通常,应用程序具有一个配置文件,该文件包含用于连接数据库的设置参数.一些DBA的用户名和密码在配置文件中以明文形式存在问题.
Typically applications have a configuration file that contains setup parameters to connect to a database. Some DBAs have problems with the fact that usernames and passwords are in clear text in config files.
我认为这在Oracle和JDBC中是不可能的,但是我需要一些确认...
I don't think this is possible with Oracle and JDBC, but I need some confirmation...
可能的折衷办法是在设置连接之前对配置文件中的密码进行加密并对其进行解密.当然,解密密钥不应位于同一配置文件中.这只会解决未经授权的用户意外打开配置文件的情况.
A possible compromise is to encrypt the password in the config file and decrypt it before setting up the connection. Of course, the decryption key should not be in the same config file. This will only solve accidental opening of the config file by unauthorized users.
推荐答案
您可能想尝试Kerberos,它可以使用OS用户的凭据并将OS用户添加到外部标识的数据库中.确保您使用的是Kerberos,而不是使用旧的方法,因为这存在严重的安全性问题.
You may want to try Kerberos which can use the OS user's credentials and adding the OS user to the database as identified externally. Make sure that you use Kerberos and not the old way of doing this, which had serious security issues.
要获得Kerberos支持,您将需要高级安全性选项和最新的JDBC驱动程序(可能是11g版本).在尝试使其在Java中工作之前,请在Sql * Plus中使用"/"作为用户名和空密码进行尝试. 从双重选择用户"应为您提供user @ domain.您可能还会发现,在配置Kerberos时,使用瘦驱动程序或OCI驱动程序有根本的区别.
For Kerberos support you would need the advanced security option and a recent JDBC driver, probably 11g version. Before trying to get it to work in Java, try it out in Sql*Plus using '/' as username and empty password. "select user from dual" should give you user@domain. You may also find that there is a fundamental difference between using thin or OCI driver when it comes to Kerberos configuration.
这篇关于如何避免存储凭据以使用JDBC连接到Oracle?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
