Re: MySQL communication around a firewall

H.L wrote:

My Java web start application connects to a remote MySQL server hosted
on a Tomcat server via the MySQL connector JDBC driver. The idea was
that it connects through the standard port 3306, but the administrators
are reluctant to allow anything through the firewall.

Hardly surprising. Allowing outside connection to a database server is not
something I would contemplate.

We have raised the
idea of communicating through another port. That port would be opened to
connections from outside the firewall. This seems to imply that the
client must also have opened that port. What kind of problem is this
likely to cause? I would have thought that all ports were open on the
client side. Perhaps this is just the case for 3306 and some other
default values.

But you still have exactly the same (very serious) security implication of
exposing your database to the outside world. Your web client has to
authenticate to the database, and that authentication is hard coded into the
client for all to see. Anyone can extract it and connect directly to the
database and presumably issue SQL requests you did not intend. At the very
least it means you have to take steps to harden the database.

It would then become an issue of whether we want to ask
users to start mucking around with their network settings. I need to
shed some light on this thing. Thanks in advance.


The normal solution to this problem is to use a servlet acting as a proxy. Your
web client talks to the servlet, the servlet in turn talks to the database. The
servlet is behind the firewall so should be ok connecting to the database. The
database authentication is done there, by the servlet, protected by the
firewall. The servlet controls what actions the client can perform on the
database.

If the servlet is deployed to the same server that the web client downloads from
so much the better as the web client won't need to be signed.

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw@xxxxxxxxxxxx
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
.

Relevant Pages

  • Re: MySQL communication around a firewall
    ... web client talks to the servlet, the servlet in turn talks to the database. ... If the servlet is deployed to the same server that the web client downloads from ... I don't know the formal pattern name, if there is one, but the idea is that a shared or otherwise vital resource sits behind a manager, also called a dispatcher, a controller or a driver. ...
    (comp.lang.java.programmer)
  • Re: publishing on the web with filemaker pro via a local network
    ... i would like publish on the web a filemaker pro database which is on a given computer on my local network ... but neither "no database available" nor the list of available databases, neither with icab nor with safari, when i connect via apache, ... Also in your config section for filemaker on the database concerned you need to turn on sharing and stipulate port 591. ...
    (comp.databases.filemaker)
  • Re: How can I search a form without using FilterbyForm?
    ... >I am trying to port a database from LotusApproach to Access. ... >commas (for multiple instances). ...
    (microsoft.public.access.forms)
  • DB Fault Tolerance - network connections
    ... a Perl server which talks to a PostgreSQL database on a different phys. ... block the port on the DB server, ... Note that I'm using iptables on the box that is running the Postgresql ...
    (perl.dbi.users)
  • HttpHandlers on a website NOT using port 80
    ... The content is stored in a database. ... The problem is that we have changed the development server where the editing ... a subweb of the Default Web Site (port 80). ...
    (microsoft.public.dotnet.framework.aspnet)