wood burning stoves 2.0*
The moose likes Security and the fly likes Application Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Application Security" Watch "Application Security" New topic
Author

Application Security

Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Hi. I'm developing a new web application and I have some questions about security.

The network scenario is:
-1 firewall.
-1 application server(with Tomcat).
-1 database server(with Oracle).
-Using FORM(as login-config).

The question is:
-The application accessing a database instaled in the application server is more secure than accessing the database directly in the database server?
I supose that if some invasion occurs, they just will access the database in the application server and won't access the database in the database server. In this case, I'll sincronize the databases twice a day.

I know that I'll lose a lot of time developing the sincronization of databases. But I'll do this if it's necessary.

Thanks.


Dadonas<br /> <br />Don't gain the world and lose your soul.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Two database is not a good option. You are generating a considerable amount of difficult work when locking down your infrastructure properly is the much more sensible option.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

But about security, accessing the database in the application server is more secure than accessing directly in the database server?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

You only have one machine to secure, so from that point of view yes. Of course this architecture will affect your application's performance. Securing two machines and securing the link between them is not a hard thing to do though.
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Supose that an invasion occurs... After they broke my firewall, they are in the application server. In this case, no matter if the application is accessing a local or a remote database?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

If they get that far you are in serious trouble, there is no two ways about it. It could be argued that if they got this far you could be in more trouble if the database is on the same machine. For example, SQL Server allows people to log in using Windows credentials. If those are compromised they can access that database plus any other unsecured SQL Server instances in the network. If the DB is remote all they could manage is to access using the same DataSource credentials as your applicaiton uses, which presumably is limited by DB roles, grants etc.?
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Using the security resources of Tomcat like users and roles, and appling it to the servlets, my application will be secure? Is possible someone do something in my database just accessing the url of some servlet? I'm using FORM as login config.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Your application should be secure to a point. Whether or not the machine it is deployed on is another issue.


Is possible someone do something in my database just accessing the url of some servlet?

Depends how your application is coded. For example, if you don't use prepared statements you could be open to SQL injection.
Danilo Dadonas
Ranch Hand

Joined: Aug 24, 2007
Posts: 59

Ok Paul... thanks for your help. When I accomplish the project, can I send to you the code and the link privatly to your yahoo e-mail?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Application Security