如何在不暴露密码的情况下连接到需要密码的数据库?

我正在创建一个应用程序,我需要连接到一个数据库.数据库需要登录名/密码,因此应用程序可以执行选择和插入等操作.

I am creating an application and I need to connect to a database. The database requires login/password so the application can do operations like select and insert.

在应用程序中我需要使用登录名和密码连接到数据库,因此应用程序可以自由地对数据库执行一些任务.我的问题是:如何在不暴露密码的情况下存储和使用密码连接数据库?

In the application I need to connect to the database using login and password, so the application is free to do some tasks on the database. My question is: how do I store and use a password to connect to the database without exposing the password?

我不能简单地使用哈希或加密来存储密码,因为数据库必须识别密码(我认为大多数或所有数据库都必须以纯文本形式接收密码).

I can't simply use a hash or encryption to store the password because the database must recognize the password (I think most or all databases must receive password as plain text).

.

.

注意:连接是由应用程序建立的.无需人工输入即可进行连接.

Note: The connection is made by the application. No human input to do the connection.

(编辑)关于应用程序的更多信息:它是一个使用 servlets/jsp 的 Web 应用程序.数据库位于应用程序的同一台服务器上.应用程序的用户是默认用户,没有完全的管理权限,但它可以插入/删除行并执行大多数涉及查询和表中数据修改的事情.

(Edit)More info about the application: it is a web application using servlets/jsp. The database is on the same server of the application. The user for the application is a default user without complete admin powers, but it may insert/delete rows and do most things that involve queries and data modification in tables.

推荐答案

通常的做法是将用户名/密码外部化为 property/config 文件,在运行时读取(无论您是否使用本机 JDBC/JNDI/CDI/J2EE 数据源/等).

The usual way this is done is to externalize the username/password to a property/config file which is read at runtime (whether or not you use native JDBC/JNDI/CDI/J2EE datasource/etc).

系统管理员通过操作系统安全保护文件.

The file is protected via the O/S security by the sysadmins.

操作系统有比应用代码更好的保护工具.

The O/S has better tools for protection than app code.

相关文章