5 Replies Latest reply on Apr 6, 2004 9:21 AM by martin0

userid/password for CMP

michaellee Apr 5, 2004 10:43 PM

Hi,

I have successfully deployed CMP entity bean using hardcoded userid and password in database connection setup. (in my case, it is sybase-service.xml). I have set security control on the ejb-jar.xml so that only user with specified role can access and manipulate the bean. Every thing seems okay.

However, i would like to know whether the user id and password can be stored in somewhere else (other than the -ds.xml).

Why?

I would like to prevent an developer from developing a program which use JNDI look up for the database connection and then access the data using JDBC call. (for example, if the CMP entity bean is used to store something related to salary, i don't want anyone bypass the role checking built-in for the EJB)

Regards,
Michael

1. Re: userid/password for CMP

martin0 Apr 6, 2004 7:48 AM (in response to michaellee)

Michael,

I believe you can specify the security-realm login access to the database.

See http://www.jboss.org/index.html?module=bb&op=viewtopic&t=45111

Martin
Actions
2. Re: userid/password for CMP

michaellee Apr 6, 2004 8:12 AM (in response to michaellee)

Martin,

Thanks for your information.

Using the proposed method, the database password can be encrypted and not readable in the config file. However, by using JNDI lookup for the datasource, then call getConnection using the return datasource, a connection will be created to access the database even though the password is unknown. Is this correct?

Is it possible to specify connection information in say jbosscmp-jdbc.xml?

Regards,
Michael
Actions
3. Re: userid/password for CMP

martin0 Apr 6, 2004 8:37 AM (in response to michaellee)

They can only do that if they can deploy it in the relevant security domain (I believe).

Bottom line is they can use a command line SQL tool to access the database. Sounds like the security you need belongs in the database too.

Also if they have access to the deployment descriptors, they can just change the method-permission.

Sounds like you need to restrict access to the production server and have the application deployer be a trusted member of staff.

I'm interested to see what outcome you have.

Martin
Actions
4. Re: userid/password for CMP

michaellee Apr 6, 2004 9:00 AM (in response to michaellee)

Actually, i am new to J2EE Application server and just develop a simple application. What i am thinking is:

In the development environment, jmx-console is not protected and each programmer can use the JNDIViewer to obtain the JNDI name defined for the datasource. Afterward, a simple JSP may be developed and then deployed (thru formal procedure since the boss do not know what the JSP is all about) to production server. If production environment is the same as testing (respect to JNDI naming), the JSP can be used to access restricted information.

On the other hand, deployment descriptor for production server may not be so easily accessible.

Any suggestion?

Regards,
Michael
Actions
5. Re: userid/password for CMP

martin0 Apr 6, 2004 9:21 AM (in response to michaellee)

1) The jmx-console web app should be secured like any other web app

I'll think about other things later.

Martin
Actions

Go to original post