2

I've been developing a Java desktop app from some time and basically what it does is to CRUD data of a MySQL database online. My problem now is security, I don't want to hardcore any user information on the client app. I'm thinking of two ways of doing this:

  1. Harcode most of the MySQL statements in the client app and use the server app to transfer user and password information to the client, so the client can connect directly to the database. Which I don't like that idea because I don't want the user to have any way of getting database credentials.

  2. Using a 3-tier architecture. I have the client app almost fully coded, I have the server running on MySQL, now I need a middle layer to handle all the logical operations, credentials and everything and for that to communicate with the client app, example: if the client app asks for an inventory list, then the server check it's credentials and send the client app a file with all the inventory.

My problem is this:

  • Which component should I use to achieve option 2? I've been told to use Servlets, I've been reading about that but will that be the best option? Servlets are used for web apps and I don't know how can I get my client-app (which would be run on a desktop) communicate with Servlets and receive the data?
Exteam
  • 96
  • 7
MrRene
  • 174
  • 11
  • have you ever used rest api or something similar where you can hide the database and other information from client – Exteam Jan 13 '20 at 22:55
  • no, not really. this is my first app and I'm stuck with how to move forward. that'll be a better option than servlets? – MrRene Jan 13 '20 at 23:06
  • The most common n-tier architecture these days **would *probably* be** a [RESTful API](https://en.wikipedia.org/wiki/Overview_of_RESTful_API_Description_Languages). – Elliott Frisch Jan 14 '20 at 00:13
  • I'll check on that, thank you! – MrRene Jan 14 '20 at 20:15

3 Answers3

0

You are right to be skeptical of your first choice. For one thing, MySQL and other database servers are much more secure when they're firewalled away from the public internet.

You need a server tier that can deliver data to your client tier.

Important security tip do not build a server tier to accept raw SQL queries from a client tier. A cybercreep may use it to issue queries like SELECT * FROM user and compromise your data. Or DROP TABLE user to trash your system.

Work out an API by which your clients may request CRUD services from your server. You may want to consider a REST - style API where clients can say things like

GET https://example.com/user/id

or update the data with things like

POST https://example.com/user/id

tel=5551212&email=mickey@disney.com

The trick is to figure out what kinds of objects you want to use in your REpresentational State Transfer. Then you can use http PUT to create them, POST to replace or update them, and DELETE to delete them.

REST-style APIs are quite simple to implement from within your client; they use ordinary HttpClient operations. They're easily secured with https.

They are typically authorized with a secret token, an API key, carried in an http header object with each request. You can read about that.

So, your server code must implement your API. If you choose to use the Java language to implement it, servlets are the way to go: they are the way to develop and deploy Java web server code. You can deploy them in a Tomcat or Jetty server environment.

Plenty of resources are available about how to do this. For example, https://www.journaldev.com/9170/restful-web-services-tutorial-java

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • Thank you for your answer, I think this'll more suitable. However can I make my app to send request to the servlets and receive them without building a web application? Can that be done through html or xml? Maybe in a way that the app can create an html behind the scenes and send it to the server and then receive another html and display the content in the app? I'm studying about servlets but I'm not yet 100% sure that'll be possible – MrRene Jan 14 '20 at 20:29
0

Or, remote user-interface via web browser

3rd choice: Web app running all your business logic on the server-side with the user-interface running remotely in a web browser using auto-generated HTML/CSS/JavaScript. The user would be running a web browser rather than your web browser.

In this scenario, the client never touches your database directly nor runs any sensitive code. I think of this as a modern reincarnation of the old X Window System (app on server, UI remotely rendered).

There are two such platforms:

  • Vaadin running pure Java on the server. Built on top of well-worn Java Servlet technology.
  • Xojo Web Edition (formerly known as RealBasic) running a proprietary compiled object-oriented programming language on the server.

In both of these products, the web browser is used to display the user-interface widgets such as labels, fields, buttons, pop-up menus, lists, and data-grids. When the user uses any of these widgets, an event is raised on the server-side. Your business logic then executes on the server-side. Your business logic and database connections live only on the server. The client gets nothing more than the data to be displayed in forms on screen.

diagram showing a Vaadin server sitting between a web browser on one side and database & services on the other side

Both of these platforms auto-generate all the HTML, CSS, JavaScript, DOM, AJAX, WebSocket, and Push code. So you need not master those web technologies. Both of these platforms can be used with any modern web browser as they use only standard web technologies. No plugins or applets involved.

You will need to rewrite your app. But this may not be as daunting as it sounds. Most of the work in a desktop app is in the design, working out the details of user experience, and deteriming business rules. That would all transfer over to your Vaadin or Xojo work. And if using Vaadin, all your non-GUI Java code would be directly transferable.

If your native local app had special features that cannot be recreated within the limitations of a web app, then this approach is not suitable. But you said the main purpose of your app is database CRUD. Such business-style forms-oriented apps are the main purpose for Vaadin & Xojo Web Edition.

Running web app offline

Vaadin has early support for Progressive Web Apps (PWA) to enable a web app running offline. Currently bleeding edge, but improving, with browsers already building in support for the necessary infrastructure. If PWA can be made to work well, some kinds of desktop apps could be replaced with a PWA web app.

See the Vaadin Progressive Web App Handbook.

Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154
  • Thank you for your answer, Basil. That'll be more useful for a CRUD application but this must be a desktop app because it doesn't only work for CRUD but also has some part functions that must work locally and sometimes offline. – MrRene Jan 14 '20 at 20:25
  • @ReneAlvarenga Understood. Check back though, as Vaadin has early support for [*Progressive Web Apps (PWA)*](https://en.wikipedia.org/wiki/Progressive_web_application) to enable a web app running offline. Currently bleeding edge, but improving, with browsers already building in support. See the [*Vaadin Progressive Web App Handbook*](https://vaadin.com/pwa). – Basil Bourque Jan 14 '20 at 20:36
  • On second thought... Basil, this does really seems like the best way of releasing my product. I have no problems recreating the desktop app because as you said most of it is the UI/UX, there are some non-GUI codes that can be transferred thankfully... but about the UI, do I need to study about HTML5 or more CSS to recreate it in vaadin? And running the app offline, it is possible to save a log of the tasks that the user is doing and then update it online to the database when the user has connection? – MrRene Jan 14 '20 at 21:01
  • @ReneAlvarenga No need to master HTML nor CSS, that is the entire point of Vaadin Flow: hiding the underlying web technology. While working in Vaadin, you are just writing Java code with the usual desktop idioms of label-field-button-etc widgets as objects in memory, with properties and listeners. All the HTML/CSS/JavaScript is generated on-the-fly at runtime. – Basil Bourque Jan 14 '20 at 21:07
  • @ReneAlvarenga That being said, it can help to know a bit of HTML & CSS, just because HTML5 & CSS3 have so radically improved in recent years that Vaadin's layout managers and widgets are much closer to underlying their web counterparts, less abstractions and hacks. A `VerticalLayout` and `HorizontalLayout` in Vaadin is now directly implemented as a CSS FlexBox, and a grid layout can now be implemented as a CSS Grid Layout. My entire web knowledge is basically from implementing a little static web site for friends every couple years. That little bit of HTML & CSS practice goes a long way. – Basil Bourque Jan 14 '20 at 21:11
  • @ReneAlvarenga For doing fancy complicated forms on screen, you will likely want to use a CSS Grid to organize the widgets. [See this overview of layout options in Vaadin](https://vaadin.com/docs/v14/flow/migration/5-components.html#layouts). And see the excellent video tutorials on CSS Grid by Jen Simmons on the YouTube channel [*Layout Land*](https://www.youtube.com/layoutland). – Basil Bourque Jan 14 '20 at 21:17
  • @ReneAlvarenga As for PWA features, I have not tried offline apps. So I cannot advise. As I cautioned, PWA is bleeding edge, so be sure to experiment and test well on the browsers to be used by your users. You may find some tutorials on the official [Vaadin channel](https://www.youtube.com/channel/UCsGakFIbOsj-fgPFLf1QlQA) on YouTube, and on [their company blog](https://vaadin.com/blog/). – Basil Bourque Jan 14 '20 at 21:19
  • Thanks Basil! I've been checking some videos about vaadin, my concern now is the UI, it does have some fancy things. My concern is in the positions and the looks of the components, a lot of my now current UI are vertical panes and horizontal panes set in contrains, with a lot of grid panes in the center showing the data. Will all the components I create in vaadin be editable with CSS? Using a style class I'm guessing? This is my last question, so far it looks that I'll be going this way – MrRene Jan 14 '20 at 22:31
  • @ReneAlvarenga See [that page about layouts](https://vaadin.com/docs/v14/flow/migration/5-components.html#layouts) I linked above. It compares the old Vaadin 8 widgets to the new Vaadin Flow (versions 10+). Both the old `AbsoluteLayout` and `GridLayout` were dropped as you can now use straight CSS for both purposes. See [this](https://stackoverflow.com/questions/54421131/how-to-use-a-css-grid-in-vaadin-flow-as-replacement-for-framework-8s-gridlayout) and [this](https://stackoverflow.com/q/51216311/642706). And see [Vaadin forums](https://vaadin.com/forum). – Basil Bourque Jan 15 '20 at 00:45
  • @ReneAlvarenga Be aware that you can nest layouts within layouts in Vaadin. So some layouts can be accomplished, for example, by cleverly placing `VerticalLayout` & `HorizontalLayout` instances (FlexBox in CSS) within others of the same or different kind. Tip: Use a bit of CSS to display an ugly border (like thick dashed orange/purple/red color) around the layout to understand behaviors. Layouts are tricky to understand and get right, of course. And web apps are certainly more limited than native apps in this regard and in other regards. So Vaadin may or may not work for you. Good luck. – Basil Bourque Jan 15 '20 at 00:48
  • @ReneAlvarenga Regarding affecting Vaadin widgets with CSS, yes all the Vaadin Flow widgets are built with [Web Components](https://en.wikipedia.org/wiki/Web_Components). So all the Vaadin components are built of nothing but HTML/CSS/JavaScript.They can even be used outside of Vaadin Flow by JavaScript web developers without any Java. So, Yes, your CSS can affect them. See [*Theming applications with CSS*](https://vaadin.com/docs/v14/flow/theme/theming-overview.html) chapter of the manual. – Basil Bourque Jan 15 '20 at 01:02
0

Proxy way

Regarding your particular use case I'd suggest you yet another way of solving. You mentioned that you already have a desktop application probably with lots of code. At the moment it requests DB directly. So from my point of view it would be rather difficult to migrate your data access logic onto another technology - 3tier. And it almost doesn't depend on exact choice.

If I got it right your main problem is security for DB. To solve this without completely rewriting your application you can introduce some sort of proxy for DB as an intermediate layer. This proxy will reside on server side and store credentials for DB. So they will not be available for client. Client connects to proxy and behaves exactly in the same way as before except credentials ( you can of course require credentials for proxy). To protect raw data you can introduce some limitations for access to data on proxy side.

I'm not sure this is simple task to do. It is more about network/system programming. But I expect much less volume of work to do if your current application is big and mature enough. You can try to lookup some existing tools like jdbc-proxy as starting point.

Anton Astafiev
  • 66
  • 5