4 Replies Latest reply on Jan 3, 2003 1:08 PM by dediana

    Datasource security in multiuser environment

    dediana
    dediana Dec 27, 2002 3:45 PM

      Hi,

      I have a server that is shared among many users. Which application represents one user inside the server. I want to know if there is a way to set datasource configuration so the server guarantees that a user doesn´t access another user´s datasource.
      If I was thinking in using just JDBC, it would be OK, because the access control could be at getConnection() calls. But I need CMP too, so this is not an option.
      For CMP, I could have user and password hardcoded in the DS configuration file and have all security set at the beans descriptors. But in this case a user can access another user´s datasource using JDBC.
      What I need is a mechanism that can control someone´s access to a DS based on the identity of the caller. Is there a way to do this? Maybe pass user name and password or the role from EJB to DS using JAAS?

      Thanks,

      Dediana

      • 3163 Views
      • Tags:
        • 1. Re: Datasource security in multiuser environment
          dediana
          dediana Dec 27, 2002 4:11 PM (in response to dediana)

          Sorry, if I have it configured for CMP one just can access the database using JDBC if he knows user and password, so it´s not a problem.
          But the problem persists because one can access the datasource using a BMP bean (it´s just do a lookup and get the DS).

          Dediana

            • Actions
          • 2. Re: Datasource security in multiuser environment
            luke_t Jan 1, 2003 8:20 PM (in response to dediana)

            Hi,

            Assuming I'm getting you straight, why do you want to use both app-server and database level security? This will prevent you from sharing connections between different users and you'll lose the benefits of having pooled connections.

            There is a method on the DataSource interface which takes a username and password, so you could use this, mapping the information from your J2EE users to your database users as you see fit.

            Luke.

              • Actions
            • 3. Re: Datasource security in multiuser environment
              davidjencks
              davidjencks Jan 2, 2003 1:02 AM (in response to dediana)

              I don't understand what you are trying to do, there are many possibilities consistent with your description. However, I suggest you look into using the CallerIdentityLoginModule.

                • Actions
              • 4. Re: Datasource security in multiuser environment
                dediana
                dediana Jan 3, 2003 1:08 PM (in response to dediana)

                Luke: This is my scenario: if I only use app-server level security, a user can use JDBC to have access to another user´s database if she has the db´s URL. If I only have db level security, a user can access other user´s datasource if she has the JNDI name of this DS. So I have to have both security levels.

                David: It was exactly what I was looking for.

                Thank you both for the help.

                Mauricio

                  • Actions