如何保护数据库连接字符串

时间:2021-07-11 12:09:52

I usually keep database connection information including username/password in .properties file or in .xml file.Is there a way to make this more secure? I mean on directory level someone can easily edit the file and connect to database.

我通常在.properties文件或.xml文件中保存数据库连接信息,包括用户名/密码。有什么方法可以让这更安全吗?我的意思是在目录级别上,有人可以很容易地编辑文件并连接到数据库。

thanks

谢谢

I use spring framework spring security and jsf 2 tools.I am actually looking for a solution other than handling file level authorization.Users can be granted access on linux and windows.Adding some paranioa I even would like to hide it from authorized users. I don t want the authorized users to see username/password information in plain text.

我使用spring framework spring security和jsf 2工具。实际上,我正在寻找一个解决方案,而不是处理文件级别的授权。用户可以在linux和windows上被授予访问权限。添加一些paranioa,我甚至想把它隐藏在授权用户中。我不希望授权用户看到纯文本的用户名/密码信息。

thanks for replies

谢谢你的回复

3 个解决方案

#1


1  

You can encrypt those files and then use them. Though it will increase the overhead of encryption/decryption.

您可以加密这些文件,然后使用它们。尽管这会增加加密/解密的开销。

#2


1  

You can make the connection string unaccessible for unauthorized users. this is a simple issue of permissions and simply revoking all unnecessary permission on your config file is enough. However you cannot protect the connection string from authorized users, and that always include all members of the local Administrators group and the user that runs the application.

您可以使未授权用户无法访问连接字符串。这是一个简单的权限问题,只要撤销配置文件上所有不必要的权限就足够了。但是,您不能保护连接字符串不受授权用户的保护,并且该字符串总是包含本地管理员组的所有成员和运行应用程序的用户。

There are ways to encrypt the connections string too, as configuration do support encryption, see Encrypting and Decrypting Configuration Sections. But this is a means to protect against accidental media loss (your HDD turns out in a flea market). Cryptography does not add any real protection more that file level authorization because the application itself needs to decrypt the configuration. I'm emphasizing this because all too often questions like yours actually mean a DRM enforcing question, how to ensure the user using the application does not see or modify some part of the application.

还有一些方法可以加密连接字符串,因为配置确实支持加密,请参阅加密和解密配置部分。但是,这是一种防止意外媒体损失的方法(您的硬盘是在跳蚤市场上发现的)。由于应用程序本身需要对配置进行解密,所以密码学不添加任何真正的文件级别授权保护。我之所以强调这一点,是因为像您这样的问题通常意味着一个DRM强制问题,即如何确保使用应用程序的用户看不到或修改应用程序的某些部分。

someone can easily edit the file and connect to database

有人可以很容易地编辑文件并连接到数据库

I hope you mean 'someone can easily cause the application to connect to a different database' and this should be easy for authorized users. If you're trying to hide what database you're connecting to you're really barking up the wrong tree because that is visible in a myriad other ways.

我希望您的意思是“某人可以很容易地使应用程序连接到另一个数据库”,这对于授权用户来说应该很容易。如果你想隐藏你正在连接的数据库,你真的是在寻找错误的树,因为它在很多其他方面都是可见的。

#3


0  

Take a look here It look like that, from the link i gave here.

看这里,看起来是这样的,从这里的链接。

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

#1


1  

You can encrypt those files and then use them. Though it will increase the overhead of encryption/decryption.

您可以加密这些文件,然后使用它们。尽管这会增加加密/解密的开销。

#2


1  

You can make the connection string unaccessible for unauthorized users. this is a simple issue of permissions and simply revoking all unnecessary permission on your config file is enough. However you cannot protect the connection string from authorized users, and that always include all members of the local Administrators group and the user that runs the application.

您可以使未授权用户无法访问连接字符串。这是一个简单的权限问题,只要撤销配置文件上所有不必要的权限就足够了。但是,您不能保护连接字符串不受授权用户的保护,并且该字符串总是包含本地管理员组的所有成员和运行应用程序的用户。

There are ways to encrypt the connections string too, as configuration do support encryption, see Encrypting and Decrypting Configuration Sections. But this is a means to protect against accidental media loss (your HDD turns out in a flea market). Cryptography does not add any real protection more that file level authorization because the application itself needs to decrypt the configuration. I'm emphasizing this because all too often questions like yours actually mean a DRM enforcing question, how to ensure the user using the application does not see or modify some part of the application.

还有一些方法可以加密连接字符串,因为配置确实支持加密,请参阅加密和解密配置部分。但是,这是一种防止意外媒体损失的方法(您的硬盘是在跳蚤市场上发现的)。由于应用程序本身需要对配置进行解密,所以密码学不添加任何真正的文件级别授权保护。我之所以强调这一点,是因为像您这样的问题通常意味着一个DRM强制问题,即如何确保使用应用程序的用户看不到或修改应用程序的某些部分。

someone can easily edit the file and connect to database

有人可以很容易地编辑文件并连接到数据库

I hope you mean 'someone can easily cause the application to connect to a different database' and this should be easy for authorized users. If you're trying to hide what database you're connecting to you're really barking up the wrong tree because that is visible in a myriad other ways.

我希望您的意思是“某人可以很容易地使应用程序连接到另一个数据库”,这对于授权用户来说应该很容易。如果你想隐藏你正在连接的数据库,你真的是在寻找错误的树,因为它在很多其他方面都是可见的。

#3


0  

Take a look here It look like that, from the link i gave here.

看这里,看起来是这样的,从这里的链接。

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>