tags:

views:

233

answers:

1
Q: 

Security with JSP/JavaBeans/Servlets/MySQL

Background

A html page will ask the user to type their username and password. These are credentials for a MySQL database (i.e. they will be used in JDBC connection so that no password is physically stored in the files).

On submit a servlet will be called which tries to connect to the database. If it can, the credentials are correct and a JSP page will load. If not, an error will be displayed.

If the login was a success, the web application will then use servlets perforimng SQL queries/updates on the database and returning Java Beans to JSP pages.

Questions

For memory purposes I'm guessing the JDBC will need to be closed meaning subsequent pages will need to restart the connection using the credentials provided earlier. Obviously the user doesn't want to be providing a password everytime so it's going to have to be stored anyway. If they are stored in a Java object/bean for that session (considering it would have to be plaintext so it could be retrieved and used)...are they susceptible to attack? Is that just a bad as storing it as text within the code?

I'm assuming someone could hack into the session and call the object (if they know this?) with the details in and voila?

What alternatives are there?

A: 

Since starting a new connection is so expensive, the connection is saved in the session. Therefore subsequent pages get the same connection object.

As for the security of this: this is as secure as your webserver. If someone can get access to the host and login as the user under which the webserver runs or as root, they can get access to the process.

This doesn't give them access to the credentials, though, since the JDBC driver doesn't save them either (unless you use a global datasource which you don't). They could try to invoke methods on the connection object but that's equivalent to hacking a running Java VM and that's pretty hard to do unless you fail to install all the available security updates.

Aaron Digulla  2009-10-15 14:11:33
Thanks for the speedy response. In the scenario it is assumed that the server is secure (i.e. other secure applications run of it) and SSL will be used. So I'm assuming that's all good.Silly follow up - how do I save the connection object to the session, by passing it to the response? Or is this just a given?
ajr  2009-10-15 14:21:34
The HttpServletRequest object can give you a Session object in which you can store anything you like. See http://java.sun.com/javaee/5/docs/api/javax/servlet/http/HttpServletRequest.html#getSession%28%29
Aaron Digulla  2009-10-15 14:34:52

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL