This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes EJB and other Java EE Technologies and the fly likes CMP vs. BMP concerning encrypted data Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "CMP vs. BMP concerning encrypted data" Watch "CMP vs. BMP concerning encrypted data" New topic
Author

CMP vs. BMP concerning encrypted data

Dan Ludwig
Greenhorn

Joined: Jun 05, 2004
Posts: 18
Everywhere I keep reading "you should [almost] never have to use BMP with EJB 2+ [if you have a realational database]" or some version of that advice.

But I keep wondering, what if some application data is almost guaranteed to be encrypted in the persistent store, using either one- or two-way encryption? For example, MySQL's PASSWORD() function is a fairly common one-way encryption mechanism for passwords, and many other 2-way encryption algorithms can be used to cipher credit card numbers or other legally-sensitive information.

If I want an entity bean to represent objects with sensitive, more-than-likely-encrypted-in-the-persistent-store data fields, what's the best way to approach this? Use a BMP bean that harnesses the ease of using decryption methods in the actual SQL code? Or use a CMP bean wrapped with a session facade (like a DecryptorFactory of some sort) that can make sense out of the encrypted data?

What's the best way to do this and keep the ejb-jar portable across different database implementations? Is there any way to achieve one-way encryption with java? This has been bugging me for a long time. If anyone has any best practices or good ideas, please share, thanks!
Alex Sharkoff
Ranch Hand

Joined: Apr 11, 2004
Posts: 209
Dan,

You could encapsulate all required logic in your CMP EB. Eg,



As you can see in the example we decrypt the password extracted from db. Same could be done with storing the password into db (would be encrypting first and then saving into db)

Oh, yeh. In regards to one way encryption in java. Check out the following:


Hope it helps,


[ August 13, 2004: Message edited by: Alex Sharkoff ]

[ August 13, 2004: Message edited by: Alex Sharkoff ]
[ August 13, 2004: Message edited by: Alex Sharkoff ]

Alex (SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCJD 1.4)
Dan Ludwig
Greenhorn

Joined: Jun 05, 2004
Posts: 18
I found some other docs on doing the SHA and MD5 encryption using MessageDigest, and your above example works great if that's how the data is encrypted. I still think an environment entry might be necessary though, to be able to configure the encryption method at deployment time (one which would work with some kind of MessageDigestCryptionFactory) depending on the database.

However, what I'm looking for here is more of an answer to the portability issue. What if the persistent store uses an encryption algorithm other than SHA or MD5? Do I need to become a cipher expert if I want my CMP bean to work with several different database vendors, and work with existing data (that for example I, as the Bean Provider, cannot suggest encryption policies for)?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: CMP vs. BMP concerning encrypted data