Hi. I'm developing a new web application and I have some questions about security.
The network scenario is: -1 firewall. -1 application server(with Tomcat). -1 database server(with Oracle). -Using FORM(as login-config).
The question is: -The application accessing a database instaled in the application server is more secure than accessing the database directly in the database server? I supose that if some invasion occurs, they just will access the database in the application server and won't access the database in the database server. In this case, I'll sincronize the databases twice a day.
I know that I'll lose a lot of time developing the sincronization of databases. But I'll do this if it's necessary.
Dadonas<br /> <br />Don't gain the world and lose your soul.
You only have one machine to secure, so from that point of view yes. Of course this architecture will affect your application's performance. Securing two machines and securing the link between them is not a hard thing to do though.
If they get that far you are in serious trouble, there is no two ways about it. It could be argued that if they got this far you could be in more trouble if the database is on the same machine. For example, SQL Server allows people to log in using Windows credentials. If those are compromised they can access that database plus any other unsecured SQL Server instances in the network. If the DB is remote all they could manage is to access using the same DataSource credentials as your applicaiton uses, which presumably is limited by DB roles, grants etc.?
Using the security resources of Tomcat like users and roles, and appling it to the servlets, my application will be secure? Is possible someone do something in my database just accessing the url of some servlet? I'm using FORM as login config.