2

我正在为没有网络连接的环境编写桌面 java 应用程序。我正在尝试将应用程序数据尽可能安全地存储在加密的进程内 hsqldb 中,并使用未加密的用户信息 hsqldb。hsqldb 要求在创建连接时在 jdbcurl 中设置 crypto_key。我的应用程序使用 hibernate 进行持久化,使用 Spring 进行配置和注入。

我目前的方案是将用户名、密码哈希、盐和加密数据库的 crypto_key 存储在未加密的用户表中。crypto_key 由使用用户密码作为密钥的非对称加密保护。因此,应用程序不知道应用程序数据的 crypto_key 是什么,直到它运行了足够长的时间以加载 gui 并验证用户。

这是我当前的 applicationContext.xml。Spring 使用它来让 Hibernate 正常运行。

  <?xml version="1.0" encoding="UTF-8"?>
  <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">

<context:component-scan base-package="com.company.domain" />
<context:component-scan base-package="com.company.service" />

<tx:annotation-driven />

<bean id="userDataSource" 
    class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="org.hsqldb.jdbcDriver" />
    <property name="url" 
        value="jdbc:hsqldb:./ReviewDatabase/users" />
    <property name="username" value="reviewer" />
    <property name="password" value="$kelatonKey" />
</bean>


<bean id="mainDataSource" 
    class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="org.hsqldb.jdbcDriver" />
    <property name="url" 
        value="jdbc:hsqldb:./ReviewDatabase/data" /> <!-- TODO: ;crypt_key=;crypt_type=AES -->
    <property name="username" value="reviewer" />
    <property name="password" value="$kelatonKey" />
</bean>

<bean id="userSessionFactory"
    class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
    <property name="dataSource" ref="userDataSource" />
    <property name="annotatedClasses">
        <list>
            <value>com.company.domain.AppUser</value>
        </list>
    </property>
    <property name="hibernateProperties">
        <props>
            <prop key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop>
            <prop key="hibernate.show_sql">true</prop>
            <prop key="hibernate.hbm2ddl.auto">update</prop>
        </props>
    </property>
</bean>

<bean id="mainSessionFactory"
    class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
    <property name="dataSource" ref="mainDataSource" />
    <property name="annotatedClasses">
        <list>
<!--                <value>com.companu.domain.Person</value> -->
<!--                <value>com.company.domain.Thing</value> -->
<!--                <value>com.company.domain.Thing1</value> -->
<!--                <value>com.company.domain.Thing2</value> -->
<!--                <value>com.company.domain.Review</value> -->
        </list>
    </property>
    <property name="hibernateProperties">
        <props>
            <pro key="hibernate.dialect">org.hibernate.dialect.HSQLDialect</prop>
            <prop key="hibernate.show_sql">true</prop>
            <prop key="hibernate.hbm2ddl.auto">update</prop>
        </props>
    </property>
</bean>


<bean id="mainTransactionManager" 
    class="org.springframework.orm.hibernate4.HibernateTransactionManager">
    <property name="sessionFactory" ref="mainSessionFactory" />
</bean>

<bean id="userTransactionManager"
    class="org.springframework.orm.hibernate4.HibernateTransactionManager">
    <property name="sessionFactory" ref="userSessionFactory" /> 
</bean>
</beans>

这是我希望注入 SessionFactory 的类的示例

@Repository("ReviewDao")
public class HibernateReviewDao implements ReviewDao{

private SessionFactory mainSessionFactory;

@Autowired
public void setMainSessionFactory(
        SessionFactory mainSessionFactory){
    this.mainSessionFactory = mainSessionFactory;
}

@Override
@Transactional(value = "mainTransactionManager")
public void store(Review review) {
    mainSessionFactory.getCurrentSession().saveOrUpdate(review);

}

@Override
@Transactional(value = "mainTransactionManager")
public void delete(Long reviewId) {
    Review review = (Review)mainSessionFactory.getCurrentSession()
            .get(Review.class, reviewId);
    mainSessionFactory.getCurrentSession().delete(review);
}
}

最后,这是我在验证用户并获得该 crypto_key 后尝试做的事情。

String jdbcUrl = "jdbc:hsqldb:./ReviewDatabase/data2;crypt_key=" + secret + ";crypt_type=AES";
    ServiceRegistry serviceRegistry = new ServiceRegistryBuilder()
    .applySetting("hibernate.dialect", "org.hibernate.dialect.HSQLDialect")
    .applySetting("hibernate.show_sql", "true")
    .applySetting("hibernate.hbm2ddl.auto","update")
    .applySetting("hibernate.connection.driver_class", "org.hsqldb.jdbcDriver")
    .applySetting("hibernate.connection.url", jdbcUrl)
    .applySetting("hibernate.connection.username", "reviewer")
    .applySetting("hibernate.connection.password", "$kelatonKey")
    .buildServiceRegistry();

    SessionFactory mainSessionFactory = new MetadataSources(serviceRegistry)
        .addAnnotatedClass(com.company.domain.Review.class)
        .addAnnotatedClass(com.company.domain.Person.class)
        .addAnnotatedClass(com.company.domain.Thing.class)
        .addAnnotatedClass(com.company.domain.Thing1.class)
        .addAnnotatedClass(com.company.domain.Thing2.class)
        .buildMetadata()
        .buildSessionFactory();
    org.springframework.orm.hibernate4.HibernateTransactionManager htm = 
            (HibernateTransactionManager)context.getBean("mainTransactionManager");
    context.getAutowireCapableBeanFactory().initializeBean(mainSessionFactory, "mainSessionFactory"); 
    htm.setSessionFactory(mainSessionFactory);

但是,这样,对上述对象的第一个查询会导致org.hibernate.HibernateException: No Session found for current thread

在 hibernate 初始化、依赖项被注入并且发生其他各种 tom-foolery 之后,我该如何更改 jdbcurl?我一直在推迟这部分开发,希望谷歌最终能通过,但我没有想法可以搜索。所有的答案都将被羞怯地接受:)

4

3 回答 3

0

我想知道这是否有帮助,我可以在运行时替换 Spring bean 定义吗?,您可以虚拟化 bean 属性以开始,然后在运行时更改 bean。

于 2012-09-27T13:08:47.423 回答
0

因此,配方中缺少的部分是 LocalSessionFactoryBean。它得到了 sessionFactory 设置,所以我可以替换在初始化时创建的 sessionFactories。这是我必须从问题中更改的代码

    org.springframework.orm.hibernate4.HibernateTransactionManager htm = 
            (HibernateTransactionManager)context.getBean("mainTransactionManager");
    Class<?>[] classes = new Class<?>[5];
    classes[0] =  com.company.domain.Thing1.class;
    classes[1] =  com.company.domain.Thing2.class;
    classes[2] =  com.company.domain.Person.class;
    classes[3] =  com.company.domain.Thing.class;
    classes[4] =  com.company.domain.Review.class;

    String jdbcUrl = "jdbc:hsqldb:./ReviewDatabase/data3;crypt_key=" + secret + ";crypt_type=AES";

    java.util.Properties hibernateProperties = new java.util.Properties();
    hibernateProperties.setProperty("hibernate.dialect", "org.hibernate.dialect.HSQLDialect");
    hibernateProperties.setProperty("hibernate.show_sql", "true");
    hibernateProperties.setProperty("hibernate.hbm2ddl.auto","update");
    hibernateProperties.setProperty("hibernate.connection.driver_class", "org.hsqldb.jdbcDriver");
    hibernateProperties.setProperty("hibernate.connection.url", jdbcUrl);
    hibernateProperties.setProperty("hibernate.connection.username", "reviewer");
    hibernateProperties.setProperty("hibernate.connection.password", "$kelatonKey");


    LocalSessionFactoryBean slfb = new LocalSessionFactoryBean();
    slfb.setHibernateProperties(hibernateProperties);
    slfb.setAnnotatedClasses(classes);
    try {
        slfb.afterPropertiesSet();
    } catch (IOException e) {
        Log.warn("Cannot connection to application database");
        Log.write(e.getLocalizedMessage());
        Log.write(e.getStackTrace());
        return;
    }
    SessionFactory mainSessionFactory = slfb.getObject();
    context.getAutowireCapableBeanFactory().initializeBean(mainSessionFactory, "mainSessionFactory");

    htm.setSessionFactory(mainSessionFactory);  
    for(ListenForNewSessionFactory dao : daos){
        dao.setNewSessionFactory(mainSessionFactory);
    }

我让每个 Dao 实现一个接口来设置 sessionFactory,并让他们每个人在初始化时将自己添加到静态列表中。它不是很可重用,但它可以工作。

于 2012-09-28T02:01:59.210 回答
0

我使用了以下技巧 - 无论我需要 a SessionFactory,我都使用 a (下面) - 代表我实际使用SessionFactoryFactory的唯一方法。SessionFactory

@Component
public class SessionFactoryFactory {
    @Autowired
    private LocalSessionFactoryBean sessionFactoryBean;

    @Autowired
    private DriverManagerDataSource dataSource;

    private SessionFactory sessionFactory;

    private SessionFactory getSessionFactory() {
        if (null == sessionFactory) {
            sessionFactory = sessionFactoryBean.getObject();
        }
        return sessionFactory;
    }

    public Session openSession() {
        return getSessionFactory().openSession();
    }

    public void updateDataSourceUrl() throws IOException {
        sessionFactory = null;
        sessionFactoryBean.afterPropertiesSet();
    }
}
于 2013-10-25T09:50:18.863 回答