db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tushar Kale <tk...@w3apps.com>
Subject Re: Need help in designing secure database application
Date Sat, 13 Feb 2010 03:54:24 GMT

Hi Charlie:

Thanks for the quick response!
I think  I can use the encrypt=true flag when database is created. This will
prevent user from opening the database files in OS and dumping them to see
data. Somehow I need to protect the data structures (tables/relationships
etc) in the database.

Charlie Kelly wrote:
> Hi Tushar,
> You are describing a difficult task.
> One approach is to encrypt data before they are stored in a database.
> In this case, you need a secure method creating and distributing keys.
> See http://www.bouncycastle.org/ for encryption libraries that are 
> written in Java.
> Charlie
> Tushar Kale wrote:
>> The use case is as follows. 
>> The application uses embedded derby. The information in the database
>> needs
>> to be secured. Users should not be able to list tables and table columns
>> or
>> get the data using select statements.
>> My original thought was to implement the application logic as stored
>> procedures, create a user in the database and give this user (who is not
>> a
>> database owner) the execute permission on stored procedures. Java
>> application will use the CALL statements only and not select statements.
>> I
>> need to  use connection authorization and SQL authorization both. 
>> In the JAva program, user name and password will be used to connect to
>> the
>> database. My problem is, if I start the database with user name and
>> password, this user cannot shutdown the database as he is not the
>> database
>> owner. I don't want to use the database owner name and password in the
>> Java
>> program as user can decompile the Java program and get the database owner
>> name and password. 
>> In short, here is what I am trying to achieve:
>> Create and encrypt database with database owner name and password. 
>> Create user in the database with user name and password
>> Grant Execute permission to user on stored procedures
>> In the Java program, use user name and password to start the database
>> Use Call statements to execute business logic
>> Shutdown the database when done.
>> I am not sure how to proceed. Any guidance in implementing will be
>> appreciated.

View this message in context: http://old.nabble.com/Need-help-in-designing-secure-database-application-tp27572103p27572272.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.

View raw message