Accessing a DB

2009-06-09 Thread Sean 

In regards to using RPC's to access a database, I am worried about
security. I'd love to use an RPC to access a DB, but what I can't
figure out is how to store the name and pw of the DB. I'm afraid if I
put it right in the code someone could just read it. If I try to read
it from a file, I'm afraid that they will see the path to the file and
read it.

Is it secure enough to put the PW in a locked directory from the
outside world and read it? I'm afraid it'd be too easy to break in.
How do you do it?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Accessing a DB

2009-06-09 Thread mnenchev 

Every thing witch is in your server package is on the server, so no one 
could access your private data. It is like in hibernate, that has 
hibernate config file where the user and pass are stored. This config 
file is on the server and no one has access to it.

Sean wrote:
 In regards to using RPC's to access a database, I am worried about
 security. I'd love to use an RPC to access a DB, but what I can't
 figure out is how to store the name and pw of the DB. I'm afraid if I
 put it right in the code someone could just read it. If I try to read
 it from a file, I'm afraid that they will see the path to the file and
 read it.

 Is it secure enough to put the PW in a locked directory from the
 outside world and read it? I'm afraid it'd be too easy to break in.
 How do you do it?
 
   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Accessing a DB

2009-06-09 Thread Sean 

So, not to be paranoid or anything, but there are no tricks or
anything to get into the WEB-INF folder and beyond? If I try to access
it from a browser I do get the 403 (FORBIDDEN) error, I just want to
make sure there's no quick turn around for that. I guess I lied, I am
paranoid. Thanks for your help!

On Jun 9, 7:55 am, mnenchev nenchev.mari...@gmail.com wrote:
 Every thing witch is in your server package is on the server, so no one
 could access your private data. It is like in hibernate, that has
 hibernate config file where the user and pass are stored. This config
 file is on the server and no one has access to it.

 Sean wrote:
  In regards to using RPC's to access a database, I am worried about
  security. I'd love to use an RPC to access a DB, but what I can't
  figure out is how to store the name and pw of the DB. I'm afraid if I
  put it right in the code someone could just read it. If I try to read
  it from a file, I'm afraid that they will see the path to the file and
  read it.

  Is it secure enough to put the PW in a locked directory from the
  outside world and read it? I'm afraid it'd be too easy to break in.
  How do you do it?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Accessing a DB

2009-06-09 Thread mnenchev 

WEB-INF is privete directory, no one outside could access it. So, 
storing username and pass there is totally secured, but i have never 
tried it. As i told you it is secured dont warry.

Sean wrote:
 So, not to be paranoid or anything, but there are no tricks or
 anything to get into the WEB-INF folder and beyond? If I try to access
 it from a browser I do get the 403 (FORBIDDEN) error, I just want to
 make sure there's no quick turn around for that. I guess I lied, I am
 paranoid. Thanks for your help!

 On Jun 9, 7:55 am, mnenchev nenchev.mari...@gmail.com wrote:
   
 Every thing witch is in your server package is on the server, so no one
 could access your private data. It is like in hibernate, that has
 hibernate config file where the user and pass are stored. This config
 file is on the server and no one has access to it.

 Sean wrote:
 
 In regards to using RPC's to access a database, I am worried about
 security. I'd love to use an RPC to access a DB, but what I can't
 figure out is how to store the name and pw of the DB. I'm afraid if I
 put it right in the code someone could just read it. If I try to read
 it from a file, I'm afraid that they will see the path to the file and
 read it.
   
 Is it secure enough to put the PW in a locked directory from the
 outside world and read it? I'm afraid it'd be too easy to break in.
 How do you do it?
   
 
   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Accessing a DB

2009-06-09 Thread Peter Ondruška 

As with anything unless you test you are never sure. For example there
used to be a bug in Jetty long time ago which allowed access to
WEB-INF content. This is fixed but such a bug can be introduced with
other containers as well. Just my €.02. Peter

2009/6/9, mnenchev nenchev.mari...@gmail.com:

 WEB-INF is privete directory, no one outside could access it. So,
 storing username and pass there is totally secured, but i have never
 tried it. As i told you it is secured dont warry.

 Sean wrote:
 So, not to be paranoid or anything, but there are no tricks or
 anything to get into the WEB-INF folder and beyond? If I try to access
 it from a browser I do get the 403 (FORBIDDEN) error, I just want to
 make sure there's no quick turn around for that. I guess I lied, I am
 paranoid. Thanks for your help!

 On Jun 9, 7:55 am, mnenchev nenchev.mari...@gmail.com wrote:

 Every thing witch is in your server package is on the server, so no one
 could access your private data. It is like in hibernate, that has
 hibernate config file where the user and pass are stored. This config
 file is on the server and no one has access to it.

 Sean wrote:

 In regards to using RPC's to access a database, I am worried about
 security. I'd love to use an RPC to access a DB, but what I can't
 figure out is how to store the name and pw of the DB. I'm afraid if I
 put it right in the code someone could just read it. If I try to read
 it from a file, I'm afraid that they will see the path to the file and
 read it.

 Is it secure enough to put the PW in a locked directory from the
 outside world and read it? I'm afraid it'd be too easy to break in.
 How do you do it?

 



 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---

Re: Accessing a DB

2009-06-09 Thread Daniel Jue 

The server side classes get compiled to bytecode, like most webapps.
The client side classes get compiled to bytecode and then combined
into javascript.  And then the bytecode goes in your  WEB-INF/classes
dir, and as others have said, the outside world shouldn't have access
that dir.

Since the client side gets magically transformed into JS, don't have
any Strings or constants under the client package that you don't want
your users to see/fuzz.

Also, by all means sanitize your data in the classes under the server
package.  Don't pass in variables blindly.  Later you can add some
client side sanitizing if you want, but compared to the server side,
it's not necessary.

Use prepared statements, etc etc, profit!

On Tue, Jun 9, 2009 at 9:58 AM, Peter Ondruškapeter.ondru...@gmail.com wrote:

 As with anything unless you test you are never sure. For example there
 used to be a bug in Jetty long time ago which allowed access to
 WEB-INF content. This is fixed but such a bug can be introduced with
 other containers as well. Just my €.02. Peter

 2009/6/9, mnenchev nenchev.mari...@gmail.com:

 WEB-INF is privete directory, no one outside could access it. So,
 storing username and pass there is totally secured, but i have never
 tried it. As i told you it is secured dont warry.

 Sean wrote:
 So, not to be paranoid or anything, but there are no tricks or
 anything to get into the WEB-INF folder and beyond? If I try to access
 it from a browser I do get the 403 (FORBIDDEN) error, I just want to
 make sure there's no quick turn around for that. I guess I lied, I am
 paranoid. Thanks for your help!

 On Jun 9, 7:55 am, mnenchev nenchev.mari...@gmail.com wrote:

 Every thing witch is in your server package is on the server, so no one
 could access your private data. It is like in hibernate, that has
 hibernate config file where the user and pass are stored. This config
 file is on the server and no one has access to it.

 Sean wrote:

 In regards to using RPC's to access a database, I am worried about
 security. I'd love to use an RPC to access a DB, but what I can't
 figure out is how to store the name and pw of the DB. I'm afraid if I
 put it right in the code someone could just read it. If I try to read
 it from a file, I'm afraid that they will see the path to the file and
 read it.

 Is it secure enough to put the PW in a locked directory from the
 outside world and read it? I'm afraid it'd be too easy to break in.
 How do you do it?

 



 


 


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
Google Web Toolkit group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~--~~~~--~~--~--~---