0

I am making a Java based form desktop app, a mini login form, that will be able to login into a grand system which is online in asp.net. The purpose of this app is to install on pcs, and whereever this exe is installed, the website could be logged in, other wise not. The problem is, i have put the connection string of sql server in it, and employees will install this app on their machines, there is a tool available which decompile JAR and classes. And when i checked my classes in it, it was showing my sql server password. And it can give a chance to them to hack this app, this is really dangerous for us to provide them or give them a chance to get sql server password. Can you please help, is there any such solution that i could give MD5 encrypted password or some encrypted password in connection string and sql server could be able to understand it.
Thanks

Improve this question
4
  • 3
    Not clear. Why does a client need the connection string, if you are accessing a web site? Password for the database should be server side, and then login should be to the web app not the db and be supplied by the user. Commented May 21, 2012 at 20:37
  • Can you get mac address of client from asp.net? NO It basically gets mac address, and if a pc is allowed then it generates a token and pass it to asp.net, and to generate token we need sql server in java form Commented May 21, 2012 at 20:46
  • Still don't understand why the ASP.NET cannot generate the token. Commented May 21, 2012 at 21:13
  • Where did MAC address come from? If you want to keep fundamental parts of your question secret and get an answer, get some one to read your tea leaves.... Commented May 22, 2012 at 17:27

2 Answers 2

Reset to default
1

There are a few ways you can handle this.

  1. the user info in your connection string should be limited to execute exactly one procedure: the one that tests if the MAC address is valid. This limits exposure. Not in an ideal way, but it's something.

  2. Don't send a connection string at all. Instead have the java application post the mac address to a web service. The service should connect to the database server to determine authorization. Better than option 1.

  3. Even better: Don't rely on MAC addresses. If you are worried that someone will look at the connection string then it stands to reason they might change their MAC address to mimic another machine. It stands to reason that anyone familiar enough to directly connect to a database server will also be familiar enough to download one of the many freely available tools to spoof their MAC.

Which leads to a comment: I think your doing this wrong. If the entire purpose of the java app is to simply read the MAC to validate whether that particular machine should have access then you have some serious issues with understanding security and I think you really need to evaluate what, exactly, it is you are trying to stop.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can use integrated authentication, provided that the database server is in the same active directory domain as your users. Simply specify Integrated Security=SSPI in your connection string and grant regular users rights corresponding to what you want them to be able to do in the database (for example, read only access), but no more.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.