Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Application Security

 
Danilo Dadonas
Ranch Hand
Posts: 59
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi. I'm developing a new web application and I have some questions about security.

The network scenario is:
-1 firewall.
-1 application server(with Tomcat).
-1 database server(with Oracle).
-Using FORM(as login-config).

The question is:
-The application accessing a database instaled in the application server is more secure than accessing the database directly in the database server?
I supose that if some invasion occurs, they just will access the database in the application server and won't access the database in the database server. In this case, I'll sincronize the databases twice a day.

I know that I'll lose a lot of time developing the sincronization of databases. But I'll do this if it's necessary.

Thanks.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two database is not a good option. You are generating a considerable amount of difficult work when locking down your infrastructure properly is the much more sensible option.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But about security, accessing the database in the application server is more secure than accessing directly in the database server?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You only have one machine to secure, so from that point of view yes. Of course this architecture will affect your application's performance. Securing two machines and securing the link between them is not a hard thing to do though.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Supose that an invasion occurs... After they broke my firewall, they are in the application server. In this case, no matter if the application is accessing a local or a remote database?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If they get that far you are in serious trouble, there is no two ways about it. It could be argued that if they got this far you could be in more trouble if the database is on the same machine. For example, SQL Server allows people to log in using Windows credentials. If those are compromised they can access that database plus any other unsecured SQL Server instances in the network. If the DB is remote all they could manage is to access using the same DataSource credentials as your applicaiton uses, which presumably is limited by DB roles, grants etc.?
 
Danilo Dadonas
Ranch Hand
Posts: 59
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using the security resources of Tomcat like users and roles, and appling it to the servlets, my application will be secure? Is possible someone do something in my database just accessing the url of some servlet? I'm using FORM as login config.
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your application should be secure to a point. Whether or not the machine it is deployed on is another issue.


Is possible someone do something in my database just accessing the url of some servlet?

Depends how your application is coded. For example, if you don't use prepared statements you could be open to SQL injection.
 
Danilo Dadonas
Ranch Hand
Posts: 59
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok Paul... thanks for your help. When I accomplish the project, can I send to you the code and the link privatly to your yahoo e-mail?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic