How to securely create neo4j nodes via a webpage using java/html forms

0 投票
最新提问 用户: (120 分)

I want to create a webpage where a user sets up a profile via a form; form data is sent to my server and creates requisite nodes in neo4j. I want to do this in a way that does as much as possible to prevent people arbitrarily sending commands to my server outside of the form, such as via chrome or any other injection method.

I expect that I will need to utilize the REST API to connect with neo4j via java. It also seems like I will need to use Jersey to allow the site to communicate with the neo4j REST API. I am new to securing data being transferred from the client to server and to validating data received by the server to ensure I am not sending commands to neo4j that shouldn't have been sent, and which could cause all sorts of damage to my members. I am also new to utilizing graph databases and neo4j in general.

Can someone give me a step by step example of how to basically accomplish this task? I am looking to find out what tools I need to install, and what types of commands I should include both on the client and on the server side to ensure that I am only passing correct data to neo4j when creating/deleting/modifying nodes and relationships.

Thanks for any help that anyone is willing to provide - getting past this hump will allow me to move so much more quickly with the rest of my development.

1个回答

0 投票
最新回答 用户: (300 分)

I guess the most easy way to prevent others from accessing your neo4j instance is using Neo4j authentication example. Just follow the docs on the start page. Additionally you might set up some IP address filtering using e.g. iptables on linux to restrict network access to your Java client machine.

With authentication extensions installed, you need to supply username/password with each request. The most easy way to communicate with Neo4j from a Java client these days is using the Neo4j JDBC driver.

发表于 用户: (120 分)
Maybe I'm being overly cautious or naive, but what prevents someone from just sending a POST command and grabbing a list of the current usernames/passwords; then sending an authenticated command? I've seen a little about the IP Filtering option. I guess I don't fully understand the data flow process; how do I know what IP to filter if any new user could attempt to create an account, through the forms. Don't I have to accept traffic from ANY IP?
发表于 用户: (300 分)
Depends on your setup. Everyone needing direct access to Neo4j needs to have his IP whitelisted in your IP filter of course. In case you want to secure even more, consider using a VPN, e.g. OpenVPN.
欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...