我应该在哪里保存数据库的凭据? [英] Where should I keep the credentials of my database?
问题描述
将数据库的用户名和密码保存在xml文件中并将其导入到spring security的安全文件中是个好主意吗?还有什么更好的选择吗?如果我需要加密密码,该如何做以及如何在phpMyAdmin上找到密码的加密版本? MySQL
login-service.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost/muDB" />
<property name="username" value="jack" />
<property name="password" value="alex123432" />
</bean>
</beans>
myproject-security.xml
....
<beans:import resource='login-service.xml'/>
....
请注意:由于所有与用户相关的密码均已加密,因此我仅打算隐藏DATABASE本身的密码,而不是表列的密码.我的应用程序将使用此密码来连接到数据库.
首先,您应该知道,无论您做什么,如果攻击者获得了访问服务器文件的权限,他将能够窃取密码.
如果您使用应用服务器的数据源,则只需将纯文本密码的位置移动到其他文件即可.
如果您使用某种形式的加密来避免存储明文密码,则您的应用仍将必须使用已经拥有的另一个密码来解密它.如果攻击者竭尽全力来访问您的系统,则您可以确信他也将知道这一点.您正在做的是混淆(并获得错误的安全感),而不是实际保护它.
一种更安全的解决方案是让用户在应用启动时提供密码(或用于解密数据库密码的密码),但这确实使管理变得困难.而且,如果您已经对某人可以访问您的服务器感到不安(一种很好的安全性,而不是疯狂的一种),则应考虑将DB密码驻留在系统内存中.
除此之外,将密码保存在配置文件中(您可以确信该服务器不会向外界显示),锁定系统并仅向数据库用户提供所需的最低权限. /p>
Is it a good idea to keep the username and password of database in a xml file and import it into security file of the spring security ? is there any better option? If I need to encrypt the password how to do it and how to find the encrypted version of password on phpMyAdmin? MySQL
login-service.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://localhost/muDB" />
<property name="username" value="jack" />
<property name="password" value="alex123432" />
</bean>
</beans>
myproject-security.xml
....
<beans:import resource='login-service.xml'/>
....
PLEASE NOTE: As all user related passwords are already encrypted, I am only intended to hide the password of the DATABASE itself not table columns. This password would be used by my application to get connected to the database.
First of all, you should be aware that no matter what you do, if an attacker gains access to your server files, he will be able to steal the password.
If you use an app server's datasource then you just move the location of the plaintext password to a different file.
If you use some form of encryption to avoid storing a plaintext password your app will still have to decrypt it with another password which it will already have. If an attacker goes to great lengths to gain access to your system you can be fairly confident that he will know that too. What you are doing is obfuscating (and gaining a false sense of security) rather than actually securing it.
A more secure solution is for a user to provide the password (or a password to decrypt the DB password) during your app's startup, but that will make administration really difficult. And if you are already paranoid (the good security kind, not the crazy kind) that someone has access to your server, you should consider that the DB password will reside in the system memory.
Other than that, keep your password in your configuration file (which you can be fairly confident that the server won't show to the outside world), lock down your system and give the database user only the minimum permissions required.
这篇关于我应该在哪里保存数据库的凭据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
