1

I am using Mongodb Java driver for my Java client application. it needs to connect to mongodb server running remotely.

I am concerned that someone could decompile jar and find out the ip address to the mongodb server and access it. but the user needs to have read and write access. Should I create a database for each user and authenticate them? or create a User collection myself?

mongo =  new Mongo("mongodb.server", 27017);
                db = mongo.getDB("mydatabase");
                db.authenticate("test", "password");

btw, the db.authenticate requires char[] as password....so that db.authenticate() is not working.

Another solution I thought of was to use an middleman server which will connect to mongodb only. The application would connect to the middleman server via HTTP POST.

However, I need to directly store Java objects serialized into JSON on mongodb, so using the middleman server it makes things difficult.

Parvin Gasimzade
  • 25,180
  • 8
  • 56
  • 83
KJW
  • 15,035
  • 47
  • 137
  • 243

3 Answers3

2

If you are deploying code to clients then you could create a user per db and have them enter it or include it as a resource in your application (unique to each user download).

Generally people don't expose their database directly to their (untrusted) clients directly. May people create REST/Remote-APIs for this purpose where each application function requires authentication and can be authorized.

Scott Hernandez
  • 7,452
  • 2
  • 34
  • 25
0

Auth should be done with the "admin" db. Use the following instead:

mongo =  new Mongo("mongodb.server", 27017);
db = mongo.getDB("admin");
db.authenticate("test", "password");
db=mongo.getDB("mydatabase");
xdazz
  • 158,678
  • 38
  • 247
  • 274
Macro Huang
  • 11
0

It is against security best practice to hard code credentials- just don't do it. A web service layer is the best way to go about it as Scott mentioned.

I went to a MongoDB user conference and was told that they are working on third party authentication systems (active directory/ldap etc). Once that is available, you may be able to use things like Windows Integrated Authentication etc (assuming drivers support it) , or at the very least password authentication using LDAP

gauravphoenix
  • 2,814
  • 3
  • 25
  • 33