如何为基于客户端服务器的Java桌面应用程序保护数据库凭据 [英] How to secure Database Credentials for a client-server based Java Desktop Application
问题描述
好吧,在我开始之前,我知道很多人已经问过这个问题.但是我真的没有找到我想要的解决方案.所以我在这里,解释我的项目&要求问同样的问题.
Ok, before I start, I know a lot of people have already asked this question. But I really didnt find the solution I was looking for. So here I am, explaining my project & requirements, & asking the same question.
我正在做有关远程电子投票系统的最后一个项目. 使用Java 开发客户端应用程序,该应用程序允许公共用户使用LOGINID& LOGINPASS(由选举委员会授予每个&每个选民). 然后,客户端应用程序显示参与选举的候选人列表.有单选按钮可以选择其中之一.选择后,用户可以按投票"按钮以进行投票".
I am doing a final year project on REMOTE ELECTRONIC VOTING SYSTEM. Developing a client side application, using java, that allows the public users to login to the APPLICATION using a LOGINID & LOGINPASS(Given to each & every voter by the election commission or so). The client-side application then displays a list of candidates participating in the election, & has radio buttons to choose one of it. After choosing, the user can then press a "CAST VOTE" button in order the "cast the vote".
现在的问题是,要投票",我需要将此信息发送到服务器上的数据库.我如何建立从客户端应用程序到数据库的连接,以更新所需的表/细节?我将数据库凭据硬编码到源代码中,但是最近意识到这是非常不安全的.
The problem now is, to "cast the vote", I need to send this information to a database on the server. How can I make a connection from the client-side app to the database in order to update the desired table/details? I was hardcoding the database credentials into the source code, but realized recently that it is very insecure.
我不能真正使用PROPERTIES文件或CONFIG文件&使用操作系统功能来保护它,因为最终用户也可以读取这些功能(因为它们是操作系统的管理员/所有者)
I cant really use a PROPERTIES files or a CONFIG file & protect it using OS features, since these can be read by the end-users as well(since they are the admin/owner of the OS)
哦,是的,我将以JAR文件的形式分发客户端应用,&因此,无论我将其硬编码为源代码,对其进行加密还是使用属性文件,所有这些都仍然存在风险&进行反编译以了解数据库详细信息.
And oh yeah, I'll be distributing the client-side app as JAR files or so, & hence whether I hardcode it into the source code, encrypt it, or use properties file, all of it are still open for risks & decompiling in order to know the database details.
是否有替代方法? 任何解决方法? 如果有的话,您能否提供有关它的详细信息或实施方法?
Is there an alternate for this? Any workaround? If there is, can you please provide the details about it or how to implement it?
谢谢.
推荐答案
使用普通的客户端服务器应用程序,您不会直接从客户端连接到数据库服务器.而是,客户端连接到服务器(使用LOGINID和LOGINPASS作为身份验证),然后服务器连接到数据库服务器.
With a normal client-server app, you don't connect directly from the client to the database server. Rather, the client connects to the server (using LOGINID and LOGINPASS as authentication), which then connects to the database server.
这意味着客户端不会存储有关数据库的任何信息,而服务器会调解对数据库的所有访问.
That means the client doesn't store any information about the database, and the server mediates all access to it.
这篇关于如何为基于客户端服务器的Java桌面应用程序保护数据库凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
