I’ve heard people saying usage of JDBC (Java Database Connectivity) isn’t recommended in Java applets. All I they say is: ‘because of the security reasons’. What ‘security reasons’ do they mean? What would a potentially ‘bad person’ do when he/she found out about JDBC used in an applet, placed somewhere on a website?
To make one’s applet safe, it is wise to place a servlet between an applet and a database. I believe most programmers do it, I would like to know why.
2
At the most basic level, the database server ought not be opened up to the public internet. If you want random users running a Java applet to access the database directly, that implies that the database is configured to accept connections from anyone on the internet. If that’s the case, an attacker can attack your database at their leisure without worrying about first penetrating a firewall or getting access to the internal network.
Since the Java applet runs on the client machine, that means that it is easy enough for an attacker to see exactly what the applet is doing so they can easily extract the username and password for the database. Since we’ve already established that the database server has to be open to the internet for the applet to work, that means that an attacker has a username and a password that they can use from any tool they want. So now the attacker can do anything the database account your applet uses can do (bypassing any security in your applet) but they can also look for attacks that allow them to escalate their privileges.
-
because you’d need to expose your database to the internet
-
you need to let the applet have access to the password used to connect to the database, a hacker can easily pull that password out of a debugger
-
most people don’t think to use different DB accounts with different privileges
-
you can’t change the DB structure easily after the first release