在java中加密数据库用户名和密码？ [英] encrypt database username and password in java?

问题描述

实际上从类型4 db连接从我连接到oracle数据库像这样：

Actually by type 4 db connection from java i am connecting to oracle database like this:

在dbconnection.java我写下面：

In dbconnection.java i have written below:

  Class.forName("oracle.jdbc.driver.OracleDriver"); 
   con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:database host name","database user name", "database user password"); 
  return con;

）以加密形式存储在java类dbconnection.java中，如下所示：

Is there any method how can i write these 3 fields(database host, database username, database user password) in encrypted form in java class dbconnection.java like below:

  Class.forName("oracle.jdbc.driver.OracleDriver"); 
   con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:wrtwtr#$%$_rfwrw","regfwerfgwf", "%%5frfr^&%$%4"); 
  return con;

并且在数据库连接期间，这些加密字段将被解密，并将连接到oracle数据库在实际名称中

然后在servlet中调用：

Then in servlet i am calling like:

  dbconnection db= new dbconnection();

任何帮助请

推荐答案

您应该提供一种安全的方式来允许外部控制的应用程序（或应用程序实例）访问您的数据库，而不是尝试隐藏您的连接详细信息。

Rather than trying to hide your connection details, you should provide a secure way to allow externally controlled applications (or instances of applications) to access your database.

API基本上是数据库和您无法控制的应用程序之间的中间层。例如，Facebook，而不是允许直接访问他们的数据库，允许开发人员通过API访问他们的数据。这意味着应用程序可以进行身份​​验证（因此意味着他们可以负责任），并且您可以明确控制哪些应用程序可以查看和编辑。

An API is basically a middle layer between your database and an application you do not have control over. For example, facebook, rather than allowing direct access to their database, allows developers to access their data through an API. This means that applications can be authenticated (thus meaning they can be held responsible), and you can control explicitly what applications can and cannot see and edit.

基本上，通过API，你可以保护你的数据库，同时跟踪谁在做什么（虽然保护方面通常是主要的）。

Basically, through an API, you can protect your database while simultaneously keeping track of who is doing what (though the protection aspect is usually the main draw).

我必须说，虽然有时，如果你信任使用应用程序的人，它更容易不用担心它。例如，如果你在一个有能力的，有意义的人的小公司工作，那么允许应用程序直接连接到数据库可能是安全的。

I must say though that sometimes, if you trust the people using the application, it's just easier to not worry about it. For example, if you work at a small company of competent, well meaning people, then it would likely be safe to allow the application to connect directly to the database.

如果你正在将你的程序分发给一般大众，或者一大群你不完全和完全信任的人，那么你不应该允许直接访问，无论采取什么样的预防措施。

If you are distributing your program to the general public though, or a large set of people whom you do not completely and totally trust, then you should not allow direct access, no matter what kind of precautions are taken.

假设你确定如何加密你的凭证。在某些时候，您必须仍然进行连接。如果用户抓取解密/连接代码，已建立连接，然后在其后插入自己的代码，现在会发生什么？突然他有权访问你的数据库。使用API​​，最糟糕的情况是，他可以窃取API密钥，并具有有限的，可跟踪的，易于撤销的访问权限。

Assume that you do figure out how to encrypt your credentials. At some point, you must still make the connection. What happens now if a user grabs the decryption/connection code, has the connection made, then inserts his own code after it? Suddenly he has access to your database. With an API, worst case, he could steal the API key and have limited, traceable, easily revokable access.

此外，如果允许访问API ，你只允许用户做你想让他们做的。所以最糟糕的情况是，如果他确定如何直接使用API​​，他所能做的就是程序允许他做任何事情。

And besides, if you're allowing access to an API, you only allow users to do what you want them to do. So worst case, if he does figure out how to use the API directly, all he can do is what the program allows him to do anyway.

这篇关于在java中加密数据库用户名和密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！