Two Laptop Bag*
The moose likes Spring and the fly likes Secure way for database calls between client-side and server-side in Servlet? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Secure way for database calls between client-side and server-side in Servlet?" Watch "Secure way for database calls between client-side and server-side in Servlet?" New topic
Author

Secure way for database calls between client-side and server-side in Servlet?

Jason Ever
Greenhorn

Joined: Oct 06, 2013
Posts: 6
i am builds a java chat application , based on Java Secure Sockets and JavaFX and use Derby Database on the server side to record the members in the database ,

My Question is , how i make a secure connection between the Client Side Applet and the Server Side ? instead of the direct connection to the remote database from the client side to the server side ?

i had an idea to use Servlet as a Remote API , and calling it from the client side , and tell it the command to run it in the remote database on the server ?

Is this method Safe and Secure ? but i am worry about that may a bad people try to fetch the API URL , and try to call it badly and add wrong records to the database without needs to login the client-side application and try to hack the database ? so how i secure my self from this matter ? with notice that the client-side Application may be installed in many computers , so don't tell me to secure the API by determine the remote IP which capable to connect via the API

And if there are any other more secure methods please tell me

Thank you ,
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
Not using JDBC in the applet, but instead using some kind of API to access a servlet container -which in turn accesses the DB- is a good first step.

If you don't want arbitrary clients executing arbitrary API calls, then you need some kind of authentication. I can't tell from your post whether you're thinking of requiring a login, or ruling that out, but some kind of authentication is needed.


Ping & DNS - my free Android networking tools app
Jason Ever
Greenhorn

Joined: Oct 06, 2013
Posts: 6
Ulf Dittmer wrote:Not using JDBC in the applet, but instead using some kind of API to access a servlet container -which in turn accesses the DB- is a good first step.

If you don't want arbitrary clients executing arbitrary API calls, then you need some kind of authentication. I can't tell from your post whether you're thinking of requiring a login, or ruling that out, but some kind of authentication is needed.


Thank you Dear , i thought in do authentication to the API by add Key Access parameter to the API URL when the client side connect to the API , but i think that this key access may be stolen from one of hackers , and then he can call the API directly also ..
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41101
    
  45
That goes for just about any kind of authentication. If the API is important enough to need protection against that (which means more secure than at least 95% of all web sites and APIs out there), you can resort to two-factor authentication, assuming we're talking about human access and not automated access. That makes it much less less likely that unauthorized access can happen, but not impossible (unless maybe one of the factors is biometrics). But now we're talking a three-letter agency security level - which you would not be discussing in a public forum like this :-)
Sujeeth Pakala
Ranch Hand

Joined: Mar 24, 2009
Posts: 94
2 options struck in my mind :

1. Write a EJB and expose as RESTful webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch client easily using anotations. Use JSON data format which eases parsing data.

2. Write a EJB and expose as SOAP webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch, maintain client session, impose transactions. Pay attention, SOAP protocol has more advantages in terms of security, transactions etc.

Hope this helps.



Regards, Sujeeth Pakala
SCJP, SCWCD, SCBCD, ICAD, XML Master Basic, Certified SOA Professional
Jason Ever
Greenhorn

Joined: Oct 06, 2013
Posts: 6
Sujeeth Pakala wrote:2 options struck in my mind :

1. Write a EJB and expose as RESTful webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch client easily using anotations. Use JSON data format which eases parsing data.

2. Write a EJB and expose as SOAP webservice on server. Then use write Dispatch client to invoke the service from applet. You can secure the communication between EJB and Dispatch, maintain client session, impose transactions. Pay attention, SOAP protocol has more advantages in terms of security, transactions etc.

Hope this helps.




Thank you very very much my dear

i builds an API Using RESTFul web services USING @Controller and @Entity (Entity Beans) , but i am in confusion between take advantages of Session Beans and Using it inside Spring MVC Controller(Which Represent the Restful web services)

to explain more about my theory :
1- Client Connect to API Restful (Spring Controller)
2- Spring Controller Connect Locally to Session Bean
3- Session bean Connect with Entity bean , then process the request and return the result

Does i need to do these steps with Spring Restful API ? or i don't need to use Session Beans and Use only Restful web services(Spring Controller) and connect directly from it with the EJB Entity Beans ? Does Spring Restful web services Give me Identical advantages such as Session Beans ?
Sujeeth Pakala
Ranch Hand

Joined: Mar 24, 2009
Posts: 94
Json,

Do you have strong reason to use Spring?

If not, as I mentioned earlier, you can expose EJB session bean as RESTful webservice. With this, you can eliminate Controller and EntityBean. Below clode snippet will give you idea.

Jason Ever
Greenhorn

Joined: Oct 06, 2013
Posts: 6
Dear Sujeeth ,

Thank you again ,

for spring , i don't have a strong reason , but i feel that it's easier in developing RESTful using it , and second things such as RestTemplate object.. mmmm but i will thinking in your last reply and will thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no ,

Sujeeth Pakala
Ranch Hand

Joined: Mar 24, 2009
Posts: 94
Jason,

Taking advantage of RestTemplate of Spring is good idea and can using spring security is way to secure your Resource.

thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no


That is not preferred way. EJB 3.0 API has predefined annotations which secures EJB session beans.

Take a look at .this if you decided to use EJBs.

Hope this helps.
Jason Ever
Greenhorn

Joined: Oct 06, 2013
Posts: 6
Sujeeth Pakala wrote:Jason,

Taking advantage of RestTemplate of Spring is good idea and can using spring security is way to secure your Resource.

thinking in steps to secure my API using authentication by adding @PostConstruct method to match if the Request is authorised or no


That is not preferred way. EJB 3.0 API has predefined annotations which secures EJB session beans.

Take a look at .this if you decided to use EJBs.

Hope this helps.


Thank you dear Sujeeth , i am confused , because this type of security as i read , it's don't offer the wanted trick for Users system inside my chat application which depend on Users Groups System , so as i read that i must pre define these groups firstly inside the EJB Class , and the xml file , so what happened if i added new groups with different names and different permissions ?! i think that it's not possible with this type of security ? or i am wrong ? i am sorry for my repeated questions , but i want to build equivalent EJB System and talk on the right way and take its advantages ,

Resources which i read :
http://blog.eisele.net/2011/01/jdbc-security-realm-and-form-based.html
http://blog.eisele.net/2013/01/jdbc-realm-glassfish312-primefaces342.html
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Secure way for database calls between client-side and server-side in Servlet?
 
Similar Threads
IBM HttpServer and websphere Appserver
please answer this 128 questions for WLS. Urgently!
Architecture: Remoting from a Swing GUI to a Database
Getting database connection remotely
RMI, threads, locking unlocking records