开发者

Mongodb: client side user authentication security issue

问答 作者:

I am using Mongodb Java driver for my Java client application. it needs to connect to mongodb server running remotely.

I am concerned that someone could decompile jar and find out the ip address to the mongodb server and access it. but the user needs to have read and write access. Should I create a database for each user and authenticate them? or create a User collection myself?

mongo =  new Mongo("mongodb.server", 27017);
                db = mongo.getDB("mydatabase");
                db.authenticate("test", "password");

btw, the db.authenticate requires char[] as password....so that db.authenticate() is not working.

Another solution I thought of was to use an middleman server which will conn开发者_开发技巧ect to mongodb only. The application would connect to the middleman server via HTTP POST.

However, I need to directly store Java objects serialized into JSON on mongodb, so using the middleman server it makes things difficult.

If you are deploying code to clients then you could create a user per db and have them enter it or include it as a resource in your application (unique to each user download).

Generally people don't expose their database directly to their (untrusted) clients directly. May people create REST/Remote-APIs for this purpose where each application function requires authentication and can be authorized.

It is against security best practice to hard code credentials- just don't do it. A web service layer is the best way to go about it as Scott mentioned.

I went to a MongoDB user conference and was told that they are working on third party authentication systems (active directory/ldap etc). Once that is available, you may be able to use things like Windows Integrated Authentication etc (assuming drivers support it) , or at the very least password authentication using LDAP

Auth should be done with the "admin" db. Use the following instead:

mongo =  new Mongo("mongodb.server", 27017);
db = mongo.getDB("admin");
db.authenticate("test", "password");
db=mongo.getDB("mydatabase");

继续阅读:mongo-javamongodbphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9