开发者

Security with JSP/JavaBeans/Servlets/MySQL

Background

A html page will ask the user to type their username and password. These are credentials for a MySQL database (i.e. they will be used in JDBC connection so that no password is physically stored in the files).

On submit a servlet will be called which tries to connect to the database. If it can, the credentials are correct and a JSP page will load. If not, an error will be displayed.

If the login was a success, the web application will then use servlets perforimng SQL queries/updates on the database and returning Java Beans to JSP pages.

Questions

For memory purposes I'm guessing the JDBC will need to be closed meaning subsequent pages will need to restart the connection using the credentials provided earlier. Obviously the user doesn't want to be providing a password everytime so开发者_如何学编程 it's going to have to be stored anyway. If they are stored in a Java object/bean for that session (considering it would have to be plaintext so it could be retrieved and used)...are they susceptible to attack? Is that just a bad as storing it as text within the code?

I'm assuming someone could hack into the session and call the object (if they know this?) with the details in and voila?

What alternatives are there?


Since starting a new connection is so expensive, the connection is saved in the session. Therefore subsequent pages get the same connection object.

As for the security of this: this is as secure as your webserver. If someone can get access to the host and login as the user under which the webserver runs or as root, they can get access to the process.

This doesn't give them access to the credentials, though, since the JDBC driver doesn't save them either (unless you use a global datasource which you don't). They could try to invoke methods on the connection object but that's equivalent to hacking a running Java VM and that's pretty hard to do unless you fail to install all the available security updates.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜