Results 1 to 6 of 6
  1. #1
    xxSLRxx is offline Member
    Join Date
    Jan 2012
    Posts
    2
    Rep Power
    0

    Default Client-Database vs Client-Server-Database Setup

    I'm working on a program at work that needs to store company information in a database securely. The program is going to have multiple users so permissions will be necessary. Currently, my knowledge of Java is rather limited so I'm hoping to receive some good advice on the topic before I dive too deep.

    So far I've come up with a couple ideas and I like to see which is the best (or if there's another way that I've overlooked).

    1. Create a program that interacts directly with the company database.

    This seems the easiest to do since all the permissions and database interactions would be handled within the program directly. At the same time, it seems to be less secure since the client itself has complete access to the database directly.

    2. Create a client-server application where the the client sends requests to the server which interacts with the database on the client's behalf.

    This would be more secure since all of the database interaction is handled directly on the server instead of the client; however, if makes things significantly more complex. For example: Should permission checks be done on the client or server side? How do you configure a request from the client into a SQL request on the server and vice versa?

    Any and all suggestions are welcome, and thanks in advance

  2. #2
    ozzyman's Avatar
    ozzyman is offline Senior Member
    Join Date
    Mar 2011
    Location
    London, UK
    Posts
    797
    Blog Entries
    2
    Rep Power
    4

    Default Re: Client-Database vs Client-Server-Database Setup

    How is it more secure on a separate server? You still have to give the client read/write permissions to the database. If you separate the database and the client you need SSL to prevent man in the middle attacks and you'll also need to add security validation to any online form that accesses the database to prevent sql injection. Unlessvyou're getting paid extra why create the extra fuss.

  3. #3
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,097
    Rep Power
    20

    Default Re: Client-Database vs Client-Server-Database Setup

    So long as the client and database are on an internal (secure) network then opening the db to access directly from the client is OK (assuming you have figured out load).
    The disadvantage is that you now have umpteen clients to maintain...which can be handled using Web Start.

  4. #4
    xxSLRxx is offline Member
    Join Date
    Jan 2012
    Posts
    2
    Rep Power
    0

    Default Re: Client-Database vs Client-Server-Database Setup

    How is it more secure on a separate server? You still have to give the client read/write permissions to the database.
    You are correct in that the client will have to have read/write permissions (or something similiar) which is dangerous enough; however, I don't have to include all permissions such as drop or alter. In my mind, the client app would have as basic of permissions that it needed to reliably run on while the server app would have full access to the database. At least that's how I saw it in my head.

    So long as the client and database are on an internal (secure) network then opening the db to access directly from the client is OK (assuming you have figured out load).
    The disadvantage is that you now have umpteen clients to maintain...which can be handled using Web Start.
    Unfortunately, the company I work for has several stores locations so the this program will inevitably be connecting over the internet (no company VPN), thus my concern for security. Thanks for the quick responses guys. Given the choice, I would much rather configure a client-database app and as you so elegantly put it maintain umpteen clients. Do you think it's possible to make this configuration secure?

  5. #5
    clydedoris is offline Member
    Join Date
    Feb 2010
    Posts
    80
    Rep Power
    0

    Default Re: Client-Database vs Client-Server-Database Setup

    Quote Originally Posted by ozzyman View Post
    How is it more secure on a separate server? You still have to give the client read/write permissions to the database. If you separate the database and the client you need SSL to prevent man in the middle attacks and you'll also need to add security validation to any online form that accesses the database to prevent sql injection. Unlessvyou're getting paid extra why create the extra fuss.
    depending on the type of application you would be creating, having a 3 tier application architecture would be much secure imo. for example, if you're going to create a web application (i.e. browser-based and JSP in the server), that would be more secure that creating a desktop application to be run on the client which would then directly access the database.
    [why are you annoyed with my sig?]

  6. #6
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,097
    Rep Power
    20

    Default Re: Client-Database vs Client-Server-Database Setup

    Quote Originally Posted by xxSLRxx View Post
    Unfortunately, the company I work for has several stores locations so the this program will inevitably be connecting over the internet (no company VPN), thus my concern for security. Thanks for the quick responses guys. Given the choice, I would much rather configure a client-database app and as you so elegantly put it maintain umpteen clients. Do you think it's possible to make this configuration secure?
    That right there says you'll want a server in the way.
    Basic rule, never expose your database directly to the internet. You leave it open to being taken down.

Similar Threads

  1. Replies: 1
    Last Post: 07-01-2011, 04:59 PM
  2. Networked Database in client/server environment
    By MarkusHendersonicus in forum Advanced Java
    Replies: 1
    Last Post: 12-20-2010, 04:45 PM
  3. Java Server Client with database
    By cliff in forum Networking
    Replies: 2
    Last Post: 02-08-2010, 11:17 PM
  4. client server without database using rpc
    By amskj in forum Advanced Java
    Replies: 2
    Last Post: 07-09-2009, 12:01 AM
  5. Java Client Needs Database Acces Over Internet
    By etherkye in forum Networking
    Replies: 2
    Last Post: 07-01-2009, 10:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •