4 Replies Latest reply on May 27, 2004 12:54 PM by starksm64

    Application Managed Security

    jeeads

      I am building a system that federates different datasources and then delivers them in a common fashion through a known logical vocabulary. Some of the databases require application managed security, in other words, they require the user to login to the database with a database specific account. I know how to setup for using the JAAS username and password or for setting up a default username and password but I can't figure out how to imply application managed security. I have all of the documentation and I understand where to configure <application-managed-security/> in the configuration files but I can't find an example of how to supply the username and password if the connection is not already pooled? I have seen many references to getConnection(username, password) but is there an example of how this would be used? I currently have a configuration database that stores the type of datasources available and their connection information. I could query this database to get the necessary username and password and the type of security for the specific datastore.

      Thanks
      Jerry

        • 1. Re: Application Managed Security
          starksm64

          Just lookup the DataSource from JNDI and then use the getConnection(username, password) form to obtain the connection.

          • 2. Re: Application Managed Security
            jeeads

            Scott,
            Thanks for the quick reply. I understand what you said and I know how to use the getConnection with the DAO design pattern. My delima is that I am using CMP Entity Beans to access fine grained objects in the datasources, how would I configure the container to use getConnection with CMP Entity Beans?

            Thanks
            Jerry

            • 3. Re: Application Managed Security
              jeeads

              Scott,
              Should I create a different security realm for each of the application managed security datasources with a login module that reads the configuration datasource for user name and password for the specific datasource? If so should I then leave the password and username attributes out of their specific *-ds.xml files? As I read the documentation if I do this the JAAS principal information will be used in the connect string, is that right, and will it be the JAAS information from the correct login module?
              Really I am only trying to setup a pooled connection to be used by the current user via his alias to the given datasource. It seems that if I use the Login Module stuff then my Application Server authentication may not work as expected?
              How far off am I?

              Boat Drinks
              Jerry

              • 4. Re: Application Managed Security
                starksm64

                Yes, you have to handle this at the login module level, but this is not application-managed-security, which cannot be used with CMP as the application is not the one obtaining the connection. Its container managed security with the security context derived from the caller's context, and there should not be any username/password in the *-ds.xml (unless there is a meaningful default).

                So if the connection credentials are simply those of the caller then use a security realm that uses the org.jboss.resource.security.CallerIdentityLoginModule login module. If you need the connection credentials to be some function of the caller identity, then create your own login module using the CallerIdentityLoginModule as a starting point.