Is it bad to connect to a database via an applet?

[jmDesktop]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck. I want to write a game in an applet that
utilizes a database. I don't want to use Flash and php, which I keep
reading folks use. I want use Java. I just don't know the proper
design. Do I have a middle page, a servlet, that sits on the server
the applet talks to and that middle page talks to the server and
selects/updates the database? Thanks.

 

[Arne Vajhøj]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck. I want to write a game in an applet that
utilizes a database. I don't want to use Flash and php, which I keep
reading folks use. I want use Java. I just don't know the proper
design. Do I have a middle page, a servlet, that sits on the server
the applet talks to and that middle page talks to the server and
selects/updates the database?

Yes. It is bad to let the applet talk directly to the database.

applet----(HTTP)----web app----(JDBC)----database

is better.

See my reply to your other post for details.

Arne

 

[jmDesktop]

Yes. It is bad to let the applet talk directly to the database.

applet----(HTTP)----web app----(JDBC)----database

is better.

See my reply to your other post for details.

Arne

Does the same go for using webstart? Any Java application (not just
applet) that connects over the Internet?

 

[Arne Vajhøj]

Does the same go for using webstart? Any Java application (not just
applet) that connects over the Internet?

Yes.

The only half safe way is to have end user specific accounts on the
database.

And that is not good.

And it is still not good to have direct access from the internet to the
database server.

Arne

 

[jmDesktop]

Yes.

The only half safe way is to have end user specific accounts on the
database.

And that is not good.

And it is still not good to have direct access from the internet to the
database server.

Arne

Is that middleware piece a "servlet"?

 

[Dave Miller]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck. I want to write a game in an applet that
utilizes a database. I don't want to use Flash and php, which I keep
reading folks use. I want use Java. I just don't know the proper
design. Do I have a middle page, a servlet, that sits on the server
the applet talks to and that middle page talks to the server and
selects/updates the database? Thanks.

There is no play in Arnie's advice about not having your client side
code talk directly to the DB - there is no way to do that without
shooting yourself in the head.

The simplest safe way to get the data from the db on the server to your
applet on the client is to build a servlet as your middleware. MySQL has
an easy to use jdbc driver available here:
http://dev.mysql.com/downloads/connector/j/3.1.html
Both applet and servlet have built in methods for http communication.
Applet and servlet connect via http, servlet and db connect via jdbc and
you're good to go.

 

[BTDTGTTS]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck. I want to write a game in an applet that
utilizes a database. I don't want to use Flash and php, which I keep
reading folks use. I want use Java. I just don't know the proper
design. Do I have a middle page, a servlet, that sits on the server
the applet talks to and that middle page talks to the server and
selects/updates the database? Thanks.

Other than the security aspects that have already been addressed, there is
another advantage to having a server side servlet sitting between your
applet and database. An applet can only talk to the server from which it
was loaded which means that your database must sit on your web server.
There is no such restriction on a servlet which means you can put/move your
database wherever you want it.

 

[Silvio Bierman]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck. I want to write a game in an applet that
utilizes a database. I don't want to use Flash and php, which I keep
reading folks use. I want use Java. I just don't know the proper
design. Do I have a middle page, a servlet, that sits on the server
the applet talks to and that middle page talks to the server and
selects/updates the database? Thanks.

Apart from statements made by other posters there is an additional thing
to consider. Typically many users who reach your applet will be using
some kind of proxy that only allows traffic targeted at certain ports
like 80/HTTP, 25/SMTP, 110/POP3 etc.
Direct database access from your applet will not only be limited to
using the same host as the one that served the applet but also to using
non-blocked ports. Most proxies will not allow traffic to the port your
DBMS flavor prefers to use.

 

[Roedy Green]

I was trying to figure out how to connect an applet to a mysql
database. I only found very old articles on it. It seems no one does
this. So, now I am stuck.

normally you would do it with a Servlet intermediary that actually
does the database calls.

Having the Applet do it directly exposes the JDBC API to the wicked.

The servlet can also intelligently sift through the information
provided by JDBC to keep the traffic to a minimum.

 

[Mark Space]

Is that middleware piece a "servlet"?

I was kinda confused by Arne first comment too, but "user specific
accounts" in his second reply makes it plain what he is getting at here.

If your applet or JWS program can access a database, so can anyone else.
Your database is "bare" on the 'net and anyone at all can connect to
it anytime he or she wants. It's a security hole.

So, with that in mind: servlets can be one way to implement the
protection needed on your server to prevent unauthorized access your
database.

However, especially in the case of JWS, the answer might even be
"probably not" with respect to using servlets as middleware. Certainly
it possible to write your own protection layer in Java, deamonize it,
and then let it listen for connections and provide the level of security
desired.

Servlets do have some built-in advantages. The networking code is done
for you already. Port 80 is almost always allowed on client system.
And SSL provides encryption, which will be necessary for any real form
of security. But using servlets should be weight against all other
options. It's not a given and definitely not the only choice.

Well I hope this was at least partly clear....

 

[Arne Vajhøj]

Is that middleware piece a "servlet"?

That web app can be anything.

If it is Java server side, then it will be a servlet (JSP is not
suitable).

But it could also be a PHP web app or anything else.

Arne

 

[Arne Vajhøj]

A best practice is to use a layered architecture. Arne illustrated one
with three basic layers: front end, middleware logic and back end data
system.

Refinements of the scheme might split middleware into control logic
("Controller"), presentation logic ("View") and business logic
("Model"), for example. The business logic might communicate to the
data system via a connection layer, such as a Java Persistence API (JPA)
framework (TopLink, Hibernate, OpenJPA).

How many layers you architect, and how thick or thin each one is,
depends on the needs of the particular project. Three layers seems the
minimum, more than seven would be suspect.

The separation of model, view and controller (the
"Model-View-Controller" or "MVC" architecture) has many advantages for
robustness, correctness, stability, maintainability and expandability.
This is a case of the principle of separation of concerns - each layer
has a narrow focus of responsibility and clean, simple ways of
communication with its nearest neighbor layers (and no others).

A Java Enterprise architecture would use JSPs or XHTML pages for the
presentation artifacts, quite likely script enhanced. A framework like
Java Server Faces (JSF) provides the interface components, also
controller and presentation logic components. A custom or
framework-provided servlet (or small set of servlets) provides the glue
that ties those front-end components to the business logic components.
There might be specialized communication libraries to carry messages
between layers, such as web-services frameworks or message queues. The
business logic comprises Java components variously realized as POJO
(likely JavaBean-ish) classes or Enterprise JavaBeans (EJBs), which are
not the same as non-Enterprise JavaBeans. They handle things like
coordination of authentication, stitching together requested data into
meaningful structures and so on. Business logic can represent entities,
the nouns of the application domain, or processes, the verbs of the domain.

Business logic connects to the data layer, data layer talks to the
datastore, oh, oh, dem bones.

I just made it sound complex, and it can be if the requirements are big
enough. It doesn't need to be. Simple web apps use
XHTML/JSPs/JSF/scripting for the front end, a little bit of servlet
controlling things, Java objects handling business logic, JPA framework,
PostgreSQL or Derby (JavaDB) on the back end and you're good to go.

All very correct.

If it is for a human interface.

An interface for an applet would be different. No XHTML/JSP/JSF.

Either a servlet per interaction type. Or a single servlet that
forwards to different classes.

Anyway it will not be MVC - only 100% M + 0% V + 50% C.

Arne

 

[jmDesktop]

I was kinda confused by Arne first comment too, but "user specific
accounts" in his second reply makes it plain what he is getting at here.

If your applet or JWS program can access a database, so can anyone else.
  Your database is "bare" on the 'net and anyone at all can connect to
it anytime he or she wants.  It's a security hole.

So, with that in mind: servlets can be one way to implement the
protection needed on your server to prevent unauthorized access your
database.

However, especially in the case of JWS, the answer might even be
"probably not" with respect to using servlets as middleware.  Certainly
it possible to write your own protection layer in Java, deamonize it,
and then let it listen for connections and provide the level of security
desired.

Servlets do have some built-in advantages.  The networking code is done
for you already.  Port 80 is almost always allowed on client system.
And SSL provides encryption, which will be necessary for any real form
of security.  But using servlets should be weight against all other
options.  It's not a given and definitely not the only choice.

Well I hope this was at least partly clear....

Yes and thank you to everyone. I only need the applet because I need
a richer graphical environment than a regular webpage, and I don't
want to use Flash, Flex, or Silverlight. I thought about JavaFX, but
not sure and the tools are all there yet. Plus I just want to use
Java (and associated variations, jsp, etc.)

 

[Arne Vajhøj]

I think of applets as subsuming V.

Yep.

The applet has the 0% M + 100% V + 50% C missing.

Arne

 

[Andrew Thompson]

...An applet can only talk to the server from which it
was loaded ..

Unless it is digitally signed by the developer, and
accepted as 'trusted' by the user, then it can do
(almost) anything.

And to the OP, once you have the other details
on the server sorted, I would recommend a JWS
based app. over an applet. It will lower
maintenance costs.

 

[Mark Space]

And to the OP, once you have the other details
on the server sorted, I would recommend a JWS
based app. over an applet. It will lower
maintenance costs.

Yup. Applets are almost never used anymore. Look into Dojo, AJAX, GWT
and JSF too. These are all web app tools, that only run on the server
and in the browser. However they are the popular choices now-a-days.

 

[jmDesktop]

Unless it is digitally signed by the developer, and
accepted as 'trusted' by the user, then it can do
(almost) anything.

And to the OP, once you have the other details
on the server sorted, I would recommend a JWS
based app. over an applet.  It will lower
maintenance costs.

If something is JWS based. Is that a regular java app, just launched
on the client via Java Web Start?

 

[Arne Vajhøj]

Yup. Applets are almost never used anymore. Look into Dojo, AJAX, GWT
and JSF too. These are all web app tools, that only run on the server
and in the browser. However they are the popular choices now-a-days.

JWS is not used much either.

The fact that Windows does not ship with Java has effectively
stopped client side Java.

Arne

 

[Mark Space]

If something is JWS based. Is that a regular java app, just launched
on the client via Java Web Start?

I think yes, it's a regular app. If it's not signed, the user still has
to say "OK" if the app needs to write the local file system or access
the network (aside from the download server), etc.

But from the program's point of view it can be a plain old Java program.

 

[Dave Miller]

Unless it is digitally signed by the developer, and
accepted as 'trusted' by the user, then it can do
(almost) anything.

And to the OP, once you have the other details
on the server sorted, I would recommend a JWS
based app. over an applet. It will lower
maintenance costs.

Interesting comment - where do you see the advantage in maintenance costs?