問題描述
我正在創(chuàng)建一個(gè)應(yīng)用程序,我需要連接到一個(gè)數(shù)據(jù)庫(kù).數(shù)據(jù)庫(kù)需要登錄名/密碼,因此應(yīng)用程序可以執(zhí)行選擇和插入等操作.
I am creating an application and I need to connect to a database. The database requires login/password so the application can do operations like select and insert.
在應(yīng)用程序中我需要使用登錄名和密碼連接到數(shù)據(jù)庫(kù),因此應(yīng)用程序可以自由地對(duì)數(shù)據(jù)庫(kù)執(zhí)行一些任務(wù).我的問題是:如何在不暴露密碼的情況下存儲(chǔ)和使用密碼連接數(shù)據(jù)庫(kù)?
In the application I need to connect to the database using login and password, so the application is free to do some tasks on the database. My question is: how do I store and use a password to connect to the database without exposing the password?
我不能簡(jiǎn)單地使用哈希或加密來存儲(chǔ)密碼,因?yàn)閿?shù)據(jù)庫(kù)必須識(shí)別密碼(我認(rèn)為大多數(shù)或所有數(shù)據(jù)庫(kù)都必須以純文本形式接收密碼).
I can't simply use a hash or encryption to store the password because the database must recognize the password (I think most or all databases must receive password as plain text).
.
.
注意:連接是由應(yīng)用程序建立的.無需人工輸入即可進(jìn)行連接.
Note: The connection is made by the application. No human input to do the connection.
(編輯)關(guān)于應(yīng)用程序的更多信息:它是一個(gè)使用 servlets/jsp 的 Web 應(yīng)用程序.數(shù)據(jù)庫(kù)位于應(yīng)用程序的同一臺(tái)服務(wù)器上.應(yīng)用程序的用戶是默認(rèn)用戶,沒有完全的管理權(quán)限,但它可以插入/刪除行并執(zhí)行大多數(shù)涉及查詢和表中數(shù)據(jù)修改的事情.
(Edit)More info about the application: it is a web application using servlets/jsp. The database is on the same server of the application. The user for the application is a default user without complete admin powers, but it may insert/delete rows and do most things that involve queries and data modification in tables.
推薦答案
通常的做法是將用戶名/密碼外部化為 property/config 文件,在運(yùn)行時(shí)讀取(無論您是否使用本機(jī) JDBC/JNDI/CDI/J2EE 數(shù)據(jù)源/等).
The usual way this is done is to externalize the username/password to a property/config file which is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).
系統(tǒng)管理員通過操作系統(tǒng)安全保護(hù)文件.
The file is protected via the O/S security by the sysadmins.
操作系統(tǒng)有比應(yīng)用代碼更好的保護(hù)工具.
The O/S has better tools for protection than app code.
這篇關(guān)于如何在不暴露密碼的情況下連接到需要密碼的數(shù)據(jù)庫(kù)?的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!