我有一个包含数据库用户名/密码的属性文件,我用它来管理 ibatis 与数据库的连接。
加密此属性文件以保证安全的最佳方法是什么?
实际上我使用的是netbeans 6.8。有没有办法在为项目打包时加密这个属性文件,或者有其他方法来防止其他人看到数据库凭据?
我正在使用 ibatis 连接到 java 桌面应用程序中的数据库
任何帮助将不胜感激。
谢谢
I have a properties file containg the database username/password which i used it to manage ibatis connection with the database.
What is the best way to encrypt this properties file to be secure.
Actually I am using netbeans 6.8. Is there a way to encrypt this properties file while making packaging for the project, or any other way to prevent others to see the database credentials?
I am using ibatis to connect to database in a java desktop application
Any help would be appreciated.
thanks
发布评论
评论(4)
您是否想消除诱惑或让用户无法找到用户名/密码来手动连接数据库?
如果您只是想消除诱惑,当然可以对文件进行加密。 MyBatis(我看到您标记了您的问题
mybatis和ibatis,所以我假设我的代码中有 MyBatis)不提供开箱即用的功能使用加密凭据的方式,但您可以干预使用凭据的代码并在那里进行解密。您只需创建一个自定义数据源工厂。假设您有一个像这样的数据源:
带有密钥的属性文件:
您可以加密该文件,然后创建一个自定义数据源工厂,如下所示(确保扩展正确的数据源工厂:池化、非池化等):
您的数据源将更改为:
现在用户将无法再看到凭据。
但请注意,上述内容不会保护用户名/密码。无论您选择什么来消除诱惑(加密、混淆、一些复杂的算法等),问题是您的用户拥有在他的机器上逆转该过程所需的一切(解密密钥、提取存档) 、反编译代码、逆向工程等)。
要使其无法检索用户名/密码,请将 iBatis/myBatis 移至应用程序服务器;即,将您的胖客户端转换为更精简 之一。您获得了 Windows 应用程序和数据库之间的解耦。您的应用程序服务器将根据 Windows 应用程序收到的命令运行所有数据库查询。
在这种情况下,Windows 应用程序将不再运行查询本身,因此它根本不需要数据库凭据;数据库凭据将存储在应用程序服务器上。
Do you want to remove the temptation or make it impossible for the users to find the username/password to manually connect to the database?
If you just want to remove the temptation, you can off course encrypt the file. MyBatis (I see you tagged your question
mybatisandibatisso I'll assume MyBatis in my code) does not offer an out of the box way of using encrypted credentials, but you can intervene in code where the credentials are used and do your decryption there. You just have to create a custom data source factory.Assuming you have a data source like this:
with a properties file for the keys:
you can encrypt the file and then create a custom data source factory like so (make sure you extend the right one: pooled, unpooled etc):
Your data source will then change to:
And now the users can't see the credentials anymore.
But note that the above won't protect the username/password. Whatever you choose to eliminate the temptation (encryption, obfuscation, some sophisticated algorithm etc) the thing is that your user has everything he needs to reverse the process right there on his machine (decrypt key, extract the archive, decompile code, reverse engineering etc).
To make it impossible to retrieve the username/password, move iBatis/myBatis to an application server; i.e. transform your thick client into a thinner one. You obtain a decoupling between the windows application and the database. Your application server will run all the database queries based on commands received by the windows application.
In this case, the windows application will no longer be running the queries itself so it won't need the database credentials at all; the database credentials will be stored on the application server.
您是否在 Web 应用程序中使用 IBatis?如果是这样,您应该在 Web 容器中设置数据库访问详细信息,而不是在应用程序中。然后,您的应用程序将通过容器(Tomcat、GlassFish、Websphere 等)访问数据库,并且无需担心安全性。
您基本上想要设置一个 JNDI 数据源 - 存在于容器框架中而不是您的应用程序中的东西。如果可以的话,我不想在属性文件中包含数据库访问详细信息。
Are you using IBatis in a web application? If so, you should set up the database access details in the web container, not the application. Your application would then access the database via the container (Tomcat, GlassFish, Websphere etc.) and have no concern about security.
You basically want to set up a JNDI DataSource - something that exists in the container framework and not your application. I wouldn't want database access details in a properties file if I could help it.
无论您做什么,请记住,要加密密码,您需要一个密钥,并且必须将该密钥存储在某个地方。您选择的任何加密解决方案都是如此,并且也适用于应用程序服务器。
这意味着应该以某种方式考虑密钥安全,例如可以在 UNIX 帐户级别或类似的级别上设置安全性。
这是加密数据并生成密钥的代码的好示例:
http://exampledepot。 com/egs/javax.crypto/DesString.html
以下是如何从文件保存加载密钥:
http://www.java2s.com/Code/Java/Security/TripleDES.htm
Whatever you do, keep in mind, that to encrypt password, you need a key and you will have to store that key somewhere. That is the case for any solution you choose for encryption and applies to application server as well.
That means that key safety should be considered somehow, e.g. security can be setup on UNIX account level or something like that.
here is good example of the code which encrypts data and generates a key:
http://exampledepot.com/egs/javax.crypto/DesString.html
And here is how to save a load key from file:
http://www.java2s.com/Code/Java/Security/TripleDES.htm
我也在寻找保护 Database.properties 文件的相同问题,并找到了一种简单的方法:
如果您知道您的应用程序的用户将连接到互联网,而不是使用加密解密,只需将您的属性文件托管在任何可以为您提供两个主要属性的免费文件托管网站上:
我正在使用的解决方案之一是 Dropbox,您可以观看使用其公用文件夹属性的教程这里
...希望这能解决您的问题,就像解决我的问题一样:)
I've also searching for same problem of securing Database.properties file and found an easy way:
If u know that the user of your application will be connected to the internet than without using encryption-decryption just host your properties file on any free file hosting site that can provide you with two major properties:
One of the solution that i am using is Dropbox, You can watch a tutorial for using its public folder property Here
... Hope that will solve your problem as it solve mine :)