Can't you set up the datasource with an appropriate jndi for each application?
like java:jdbc/app1DB && java:jdbc/app2DB
Yes, but app1 would be able to access app2DB and vice versa--which I don't want to allow.
Each application should have their own datasource that only they can access.
I can only think about using JBossSX combined with privileges over the files (such as don't let developers of App A into looking code of AppB, nor the jboss.jcml to anyone, of course). If they don't know the name of the pool, they can't call it (unless they are the JNDI gurus that sometimes come by these forums ;)
Out of this, I would recommend to set up two servers apart.
Anyway, why is it that the J2EE security framework is not enough for your case? Once a friend of mine said that when the enemy is at home there is no place for security.
Hmm... that makes sense. Is there a way then using the J2EE security framework or JBossSX to make a datasource only available to certain web applications?
Any clues on where I would get started doing that? I looked through the docs on jbosssx, but I'm having a hard time trying to apply it to what I'm trying to do.
I'm trying to make it so web applications (or full EAR's) can be sectioned off. I understand how I can use file permissions and java security to ensure that they only have access to what they should, but JNDI seems to be a global thing to the app server and I don't know how to restrict applications to only access their datasource.
There is some support for this in the jca framework which is the only way to use datasources in jboss 3 and which is available earlier. You would have to write a PrincipalMapping class to actually use the incoming Principal information to derive a ResourceSubject to log into the database with. However, this will result in the wrong app not being able to log into the database, not the wrong app not being able to find the database. I don't know that anyone has done this, if you do it please consider contributing the code.
What I was thinking might be easiest--is there a way to give each application they're own JNDI with no access to other application's JNDI section? Then you just have to be able to set up a DataSource on an application specific basis and it will be placed in the application's private JNDI space.
Is that possible currently?