• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Secure way for database calls between client-side and server-side in Servlet?

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i am builds a java chat application , based on Java Secure Sockets and JavaFX and use Derby Database on the server side to record the members in the database ,

My Question is , how i make a secure connection between the Client Side Applet and the Server Side ? instead of the direct connection to the remote database from the client side to the server side ?

i had an idea to use Servlet as a Remote API , and calling it from the client side , and tell it the command to run it in the remote database on the server ?

Is this method Safe and Secure ? but i am worry about that may a bad people try to fetch the API URL , and try to call it badly and add wrong records to the database without needs to login the client-side application and try to hack the database ? so how i secure my self from this matter ? with notice that the client-side Application may be installed in many computers , so don't tell me to secure the API by determine the remote IP which capable to connect via the API

And if there are any other more secure methods please tell me

Thank you ,
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not using JDBC in the applet, but instead using some kind of API to access a servlet container -which in turn accesses the DB- is a good first step.

If you don't want arbitrary clients executing arbitrary API calls, then you need some kind of authentication. I can't tell from your post whether you're thinking of requiring a login, or ruling that out, but some kind of authentication is needed.
 
Jason Ever
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Not using JDBC in the applet, but instead using some kind of API to access a servlet container -which in turn accesses the DB- is a good first step.

If you don't want arbitrary clients executing arbitrary API calls, then you need some kind of authentication. I can't tell from your post whether you're thinking of requiring a login, or ruling that out, but some kind of authentication is needed.



Thank you Dear , i thought in do authentication to the API by add Key Access parameter to the API URL when the client side connect to the API , but i think that this key access may be stolen from one of hackers , and then he can call the API directly also ..
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That goes for just about any kind of authentication. If the API is important enough to need protection against that (which means more secure than at least 95% of all web sites and APIs out there), you can resort to two-factor authentication, assuming we're talking about human access and not automated access. That makes it much less less likely that unauthorized access can happen, but not impossible (unless maybe one of the factors is biometrics). But now we're talking a three-letter agency security level - which you would not be discussing in a public forum like this :-)
 
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
2 options struck in my mind :

1. Write a EJB and expose as RESTful webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch client easily using anotations. Use JSON data format which eases parsing data.

2. Write a EJB and expose as SOAP webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch, maintain client session, impose transactions. Pay attention, SOAP protocol has more advantages in terms of security, transactions etc.

Hope this helps.


 
Jason Ever
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sujeeth Pakala wrote:2 options struck in my mind :

1. Write a EJB and expose as RESTful webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch client easily using anotations. Use JSON data format which eases parsing data.

2. Write a EJB and expose as SOAP webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch, maintain client session, impose transactions. Pay attention, SOAP protocol has more advantages in terms of security, transactions etc.

Hope this helps.




Thank you very very much my dear

i builds an API Using RESTFul web services USING @Controller and @Entity (Entity Beans) , but i am in confusion between take advantages of Session Beans and Using it inside Spring MVC Controller(Which Represent the Restful web services)

to explain more about my theory :
1- Client Connect to API Restful (Spring Controller)
2- Spring Controller Connect Locally to Session Bean
3- Session bean Connect with Entity bean , then process the request and return the result

Does i need to do these steps with Spring Restful API ? or i don't need to use Session Beans and Use only Restful web services(Spring Controller) and connect directly from it with the EJB Entity Beans ? Does Spring Restful web services Give me Identical advantages such as Session Beans ?
 
Sujeeth Pakala
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Json,

Do you have strong reason to use Spring?

If not, as I mentioned earlier, you can expose EJB session bean as RESTful webservice. With this, you can eliminate Controller and EntityBean. Below clode snippet will give you idea.

 
Jason Ever
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear Sujeeth ,

Thank you again ,

for spring , i don't have a strong reason , but i feel that it's easier in developing RESTful using it , and second things such as RestTemplate object.. mmmm but i will thinking in your last reply and will thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no ,

 
Sujeeth Pakala
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Jason,

Taking advantage of RestTemplate of Spring is good idea and can using spring security is way to secure your Resource.

thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no



That is not preferred way. EJB 3.0 API has predefined annotations which secures EJB session beans.

Take a look at .this if you decided to use EJBs.

Hope this helps.
 
Jason Ever
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sujeeth Pakala wrote:Jason,

Taking advantage of RestTemplate of Spring is good idea and can using spring security is way to secure your Resource.

thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no



That is not preferred way. EJB 3.0 API has predefined annotations which secures EJB session beans.

Take a look at .this if you decided to use EJBs.

Hope this helps.



Thank you dear Sujeeth , i am confused , because this type of security as i read , it's don't offer the wanted trick for Users system inside my chat application which depend on Users Groups System , so as i read that i must pre define these groups firstly inside the EJB Class , and the xml file , so what happened if i added new groups with different names and different permissions ?! i think that it's not possible with this type of security ? or i am wrong ? i am sorry for my repeated questions , but i want to build equivalent EJB System and talk on the right way and take its advantages ,

Resources which i read :
http://blog.eisele.net/2011/01/jdbc-security-realm-and-form-based.html
http://blog.eisele.net/2013/01/jdbc-realm-glassfish312-primefaces342.html
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic